mirror of
https://github.com/shankar0123/certctl.git
synced 2026-06-07 20:11:31 +00:00
shankar0123
3c605d5618
# Phase 6 — day-0 admin bootstrap * internal/auth/bootstrap/ (new package): Strategy interface + EnvTokenStrategy with constant-time compare, one-shot consumption via sync.Mutex, optional admin-existence probe. Bundle 2's OIDC- first-admin will plug in alongside as an alternate Strategy. * BootstrapService.ValidateAndMint: validates the operator's CERTCTL_BOOTSTRAP_TOKEN, mints a 32-byte (64-hex-char) random API key value, persists the SHA-256 hash to api_keys, grants r-admin via actor_roles, AddHashed's the runtime keystore so the just- minted key authenticates the next request without restart, and records bootstrap.consume to the audit trail with category=auth. * internal/auth/keystore.go (new): KeyStore interface + StaticKeyStore (immutable env-var-only path) + MutableKeyStore (env-var keys + DB-loaded api_keys + runtime AddHashed). The auth middleware now consumes a KeyStore so the bootstrap path can extend the lookup table at runtime. * migrations/000031_api_keys.up/down.sql: api_keys table with (id, name UNIQUE, key_hash UNIQUE, tenant_id, admin, created_by, created_at, expires_at, last_used_at). Idempotent. * /v1/auth/bootstrap GET (probe) + POST (mint) — auth-exempt. Both routes documented in api/openapi.yaml + AuthExemptRouterRoutes allowlist updated. The token never leaves internal/auth/bootstrap; the minted plaintext key flows only into the HTTP response body. * Startup warning emitted when CERTCTL_BOOTSTRAP_TOKEN is set AND admin actors already exist (config drift signal). * Tests: 4 strategy invariants (empty token born disabled, wrong token=ErrInvalidToken without consumption, one-shot consumption, admin-exists closes path), 5 service tests (happy path + actor- name validation + propagation of strategy errors + nil-deps guard + 32-byte entropy budget), 8 HTTP-handler tests (status 201/410/401/400 mapping + token-leak hygiene scan of slog + audit details + Location header). Token-leak test redirects slog.Default to a buffer for the test scope. # Phase 7 — API-key migration + scope-down CLI * GET /v1/auth/keys handler + service method ListKeys backed by ActorRoleRepository.ListDistinctActors. Returns one row per (actor_id, actor_type) pair with the slice of role IDs they hold. Permission: auth.role.list. * internal/cli/auth_scope_down.go: AuthListKeys, AuthScopeDown (interactive), AuthScopeDownNonInteractive (JSON config), AuthScopeDownSuggest (--suggest with optional --apply). The synthetic actor-demo-anon is filtered out of every interactive / bulk path; non-interactive flow logs and skips it explicitly. * SuggestRoleFromAuditEvents (pure function): walks 30 days of audit events per actor and returns the narrowest matching role (admin / mcp / viewer / agent / operator) plus a one-line reason. Classification: any admin-shaped action wins; otherwise all-MCP → mcp; all-read-only → viewer; all-agent-shaped → agent; otherwise operator. Test table pins all six classifications. * CLI subcommand tree extended: 'auth keys list' + 'auth keys scope-down [--non-interactive <cfg>] [--suggest [--apply]]'. * CHANGELOG.md leads v2.1.0 with the SECURITY: AUDIT YOUR API KEYS call-out + four flow examples. # Phase 8 — auditor role + event_category column * migrations/000032_audit_category.up/down.sql: ALTER TABLE audit_events ADD COLUMN event_category TEXT NOT NULL DEFAULT 'cert_lifecycle' + CHECK constraint (cert_lifecycle/auth/config) + (event_category) and (event_category, timestamp DESC) indexes for the auditor-filter query path. WORM trigger from migration 000018 continues to enforce append-only at the DB layer (DDL is not blocked). * domain.AuditEvent gains EventCategory string (omitempty); domain.EventCategoryCertLifecycle / Auth / Config constants. * AuditService.RecordEventWithCategory sibling of RecordEvent; legacy callers stay on RecordEvent (defaults to cert_lifecycle). Auth callers (RoleService, ActorRoleService, BootstrapService) switched to RecordEventWithCategory(..., 'auth', ...). * GET /v1/audit?category=<cat>: handler accepts the optional query param, validates against the enum (400 on invalid value), dispatches through ListAuditEventsByCategory. OpenAPI updated with the new query param + AuditEvent.event_category schema. * Postgres AuditRepository.Create now writes event_category; AuditRepository.List filters on it; AuditFilter.EventCategory gates the WHERE clause. * Tests: 5 audit-category-filter HTTP tests (dispatch routing, back-compat fallback, 400 for invalid values, all 3 enum values accepted, page+category combine, JSON output surfaces the field). 3 auditor-role invariants (auditor holds exactly audit.read+audit.export, no mutating perms, disjoint from viewer except audit.read). # Cross-phase wiring * HandlerRegistry.Bootstrap field added; cmd/server/main.go wires the bootstrap service ahead of RegisterHandlers (extracted assembleNamedAPIKeys helper into auth_backfill.go, moved the keystore + bootstrap construction up alongside the auth repos). * AuthCheckResolver / AuthActorRoleService extended with ListKeys to satisfy the Phase 7 surface; existing fakes updated. * fakeAudit + mockAuditService stubs in tests gain RecordEventWithCategory + ListAuditEventsByCategory; existing tests untouched. # Verifications * gofmt -l: clean across every modified file. * go vet ./...: clean. * staticcheck across internal/auth + handler + router + cli + service + repository + cmd + domain: clean. * go test -short -count=1: green across every Bundle-1-touched package — internal/auth (incl. bootstrap), internal/api/handler, internal/api/router, internal/cli, internal/service/auth, internal/service, internal/domain/auth, internal/repository/postgres, cmd/server, cmd/cli, plus internal/scheduler, internal/api/middleware, cmd/agent, internal/mcp.
166 lines
4.6 KiB
Go
166 lines
4.6 KiB
Go
package cli
|
|
|
|
import (
|
|
"bufio"
|
|
"bytes"
|
|
"strings"
|
|
"testing"
|
|
)
|
|
|
|
// TestSuggestRoleFromAuditEvents_TablePins the audit-event analyser
|
|
// classification rules. Pure function; no I/O. Adding a new role
|
|
// pattern means adding a row here.
|
|
func TestSuggestRoleFromAuditEvents_Table(t *testing.T) {
|
|
cases := []struct {
|
|
name string
|
|
events []AuditEventLite
|
|
wantRole string
|
|
reasonHint string
|
|
}{
|
|
{
|
|
name: "empty history → viewer",
|
|
events: nil,
|
|
wantRole: "viewer",
|
|
reasonHint: "no audit history",
|
|
},
|
|
{
|
|
name: "only cert.read → viewer",
|
|
events: []AuditEventLite{
|
|
{Action: "cert.read"},
|
|
{Action: "cert.read"},
|
|
{Action: "issuer.read"},
|
|
},
|
|
wantRole: "viewer",
|
|
reasonHint: "read-only",
|
|
},
|
|
{
|
|
name: "agent + cert.issue → agent",
|
|
events: []AuditEventLite{
|
|
{Action: "agent.heartbeat"},
|
|
{Action: "agent.job.poll"},
|
|
{Action: "cert.issue"},
|
|
{Action: "cert.read"},
|
|
},
|
|
wantRole: "agent",
|
|
reasonHint: "agent",
|
|
},
|
|
{
|
|
name: "cert lifecycle without admin → operator",
|
|
events: []AuditEventLite{
|
|
{Action: "cert.issue"},
|
|
{Action: "cert.revoke"},
|
|
{Action: "profile.edit"},
|
|
{Action: "target.edit"},
|
|
},
|
|
wantRole: "operator",
|
|
reasonHint: "lifecycle",
|
|
},
|
|
{
|
|
name: "any auth.role.assign → admin",
|
|
events: []AuditEventLite{
|
|
{Action: "auth.role.assign"},
|
|
},
|
|
wantRole: "admin",
|
|
reasonHint: "admin-only",
|
|
},
|
|
{
|
|
name: "any cert.bulk_revoke → admin",
|
|
events: []AuditEventLite{
|
|
{Action: "cert.bulk_revoke"},
|
|
},
|
|
wantRole: "admin",
|
|
reasonHint: "admin-only",
|
|
},
|
|
{
|
|
name: "ca.hierarchy.* → admin",
|
|
events: []AuditEventLite{
|
|
{Action: "ca.hierarchy.add_child"},
|
|
},
|
|
wantRole: "admin",
|
|
reasonHint: "admin-only",
|
|
},
|
|
{
|
|
name: "MCP-only history → mcp",
|
|
events: []AuditEventLite{
|
|
{Action: "mcp.list_certificates"},
|
|
{Action: "mcp.get_issuer"},
|
|
},
|
|
wantRole: "mcp",
|
|
reasonHint: "MCP",
|
|
},
|
|
}
|
|
|
|
for _, tc := range cases {
|
|
t.Run(tc.name, func(t *testing.T) {
|
|
role, reason := SuggestRoleFromAuditEvents(tc.events)
|
|
if role != tc.wantRole {
|
|
t.Errorf("role = %q, want %q (reason=%q)", role, tc.wantRole, reason)
|
|
}
|
|
if !strings.Contains(strings.ToLower(reason), strings.ToLower(tc.reasonHint)) {
|
|
t.Errorf("reason %q does not contain hint %q", reason, tc.reasonHint)
|
|
}
|
|
})
|
|
}
|
|
}
|
|
|
|
// TestFilterScopeDownCandidates_HidesDemoAnon pins the invariant that
|
|
// the synthetic actor-demo-anon row never reaches the prompt loop.
|
|
func TestFilterScopeDownCandidates_HidesDemoAnon(t *testing.T) {
|
|
in := []AuthKeyEntry{
|
|
{ActorID: "alice", RoleIDs: []string{"r-admin"}},
|
|
{ActorID: DemoAnonActorID, RoleIDs: []string{"r-admin"}},
|
|
{ActorID: "bob", RoleIDs: []string{"r-viewer"}},
|
|
}
|
|
got := filterScopeDownCandidates(in)
|
|
if len(got) != 2 {
|
|
t.Fatalf("got %d candidates, want 2", len(got))
|
|
}
|
|
for _, k := range got {
|
|
if k.ActorID == DemoAnonActorID {
|
|
t.Errorf("filter let actor-demo-anon through")
|
|
}
|
|
}
|
|
}
|
|
|
|
// TestBuildScopeDownPlan_KeepEmptyAndUnknown pins the prompt-loop
|
|
// behaviour: empty input or "keep" leaves the row alone; unknown role
|
|
// names also fall through (operator can re-run the flow).
|
|
func TestBuildScopeDownPlan_KeepEmptyAndUnknown(t *testing.T) {
|
|
keys := []AuthKeyEntry{
|
|
{ActorID: "alice", RoleIDs: []string{"r-admin"}},
|
|
{ActorID: "bob", RoleIDs: []string{"r-admin"}},
|
|
{ActorID: "carol", RoleIDs: []string{"r-admin"}},
|
|
}
|
|
// alice keeps; bob → operator; carol → bogus role (no change).
|
|
in := bufio.NewReader(strings.NewReader("\noperator\nbogus\n"))
|
|
var out bytes.Buffer
|
|
plan, err := buildScopeDownPlan(keys, in, &out)
|
|
if err != nil {
|
|
t.Fatalf("plan err = %v", err)
|
|
}
|
|
if len(plan) != 1 {
|
|
t.Fatalf("plan size = %d, want 1 (only bob changes)", len(plan))
|
|
}
|
|
if plan[0].ActorID != "bob" || plan[0].TargetRole != "r-operator" {
|
|
t.Errorf("plan[0] = %+v, want bob → r-operator", plan[0])
|
|
}
|
|
}
|
|
|
|
// TestBuildScopeDownPlan_ApplyRolePrefix pins that the "operator"
|
|
// input becomes "r-operator" downstream — the API accepts the
|
|
// prefixed role IDs and the plan-builder normalizes.
|
|
func TestBuildScopeDownPlan_ApplyRolePrefix(t *testing.T) {
|
|
keys := []AuthKeyEntry{{ActorID: "alice", RoleIDs: []string{"r-admin"}}}
|
|
for _, role := range []string{"admin", "operator", "viewer", "agent", "mcp", "cli", "auditor"} {
|
|
in := bufio.NewReader(strings.NewReader(role + "\n"))
|
|
var out bytes.Buffer
|
|
plan, err := buildScopeDownPlan(keys, in, &out)
|
|
if err != nil {
|
|
t.Fatalf("role=%s: %v", role, err)
|
|
}
|
|
if len(plan) != 1 || plan[0].TargetRole != "r-"+role {
|
|
t.Errorf("role=%s: plan[0].TargetRole = %q, want r-%s", role, plan[0].TargetRole, role)
|
|
}
|
|
}
|
|
}
|