mirror of
https://github.com/shankar0123/certctl.git
synced 2026-06-07 23:11:32 +00:00
shankar0123
99a012e3be
Bundle 1 / Phase 0: pure refactor splitting auth surface out of internal/api/middleware so Bundle 2 (OIDC + sessions) and the broader RBAC primitive (roles, permissions, scoped grants) have a clean home. Moved to internal/auth/: NamedAPIKey, HashAPIKey, AuthConfig, NewAuthWithNamedKeys, NewAuth, UserKey, AdminKey, GetUser, IsAdmin. Added testfixtures.go (WithActor / WithAdmin / WithActorAdmin) so handler tests don't construct context manually. Stayed in internal/api/middleware/: RequestID, Logging, NewLogging, Recovery, RateLimitConfig, NewRateLimiter (now imports auth.GetUser for per-user keying per audit Category C), CORSConfig, NewCORS, ContentType, CORS, GetRequestID, responseWriter, Chain, audit middleware (now imports auth.GetUser). Updated 22 caller files across cmd/, internal/api/handler/, internal/api/middleware/, internal/mcp/. Existing m008_admin_gate_test.go now scans for auth.IsAdmin( substring; Phase 3 will further evolve to track auth.RequirePermission. Behavior unchanged: all handler / middleware / service / connector / cmd / mcp tests pass with no test-logic edits, only import-path renames. Phase 0 exit criteria: internal/auth/ exists with 6 files; middleware.go went 575 -> 422 lines (auth-related ~150 lines moved out); grep -rE 'middleware\.(GetUser|IsAdmin|UserKey|AdminKey|NamedAPIKey|HashAPIKey|NewAuth)' returns 0 hits; context.WithValue(.*middleware.UserKey/AdminKey) returns 0 hits; go vet ./... clean; go test -short ./... green across all packages tested. Branch: dev/auth-bundle-1. Per cowork/auth-bundle-1-prompt.md, do not merge to master without (1) make verify green, (2) >= 2 external testers confirm, (3) >= 90% coverage on internal/auth/ in .github/coverage-thresholds.yml.
203 lines
6.4 KiB
Go
203 lines
6.4 KiB
Go
package handler
|
|
|
|
import (
|
|
"context"
|
|
"encoding/json"
|
|
"errors"
|
|
"net/http"
|
|
"strconv"
|
|
|
|
"github.com/certctl-io/certctl/internal/api/middleware"
|
|
"github.com/certctl-io/certctl/internal/auth"
|
|
"github.com/certctl-io/certctl/internal/domain"
|
|
"github.com/certctl-io/certctl/internal/repository"
|
|
"github.com/certctl-io/certctl/internal/service"
|
|
)
|
|
|
|
// ApprovalServicer is the handler-facing surface of the approval-workflow
|
|
// service. Defined here (handler-defined service interface, dependency
|
|
// inversion) so the handler stays decoupled from the concrete
|
|
// *service.ApprovalService.
|
|
//
|
|
// Rank 7 of the 2026-05-03 Infisical deep-research deliverable, commit 3
|
|
// of 4 — the API + RBAC layer.
|
|
type ApprovalServicer interface {
|
|
Approve(ctx context.Context, requestID, decidedBy, note string) error
|
|
Reject(ctx context.Context, requestID, decidedBy, note string) error
|
|
Get(ctx context.Context, id string) (*domain.ApprovalRequest, error)
|
|
List(ctx context.Context, filter *repository.ApprovalFilter) ([]*domain.ApprovalRequest, error)
|
|
}
|
|
|
|
// ApprovalHandler handles HTTP requests for the issuance approval workflow.
|
|
// All endpoints are pinned at /api/v1/approvals/*.
|
|
type ApprovalHandler struct {
|
|
svc ApprovalServicer
|
|
}
|
|
|
|
// NewApprovalHandler constructs an ApprovalHandler with a service dependency.
|
|
func NewApprovalHandler(svc ApprovalServicer) ApprovalHandler {
|
|
return ApprovalHandler{svc: svc}
|
|
}
|
|
|
|
// approvalDecisionBody is the JSON body shape for Approve / Reject endpoints.
|
|
type approvalDecisionBody struct {
|
|
Note string `json:"note,omitempty"`
|
|
}
|
|
|
|
// ListApprovals returns paginated approval requests, optionally filtered
|
|
// by ?state=, ?certificate_id=, ?requested_by=.
|
|
//
|
|
// GET /api/v1/approvals?state=pending&page=1&per_page=50
|
|
func (h ApprovalHandler) ListApprovals(w http.ResponseWriter, r *http.Request) {
|
|
if r.Method != http.MethodGet {
|
|
Error(w, http.StatusMethodNotAllowed, "Method not allowed")
|
|
return
|
|
}
|
|
requestID := middleware.GetRequestID(r.Context())
|
|
|
|
q := r.URL.Query()
|
|
page, _ := strconv.Atoi(q.Get("page"))
|
|
if page < 1 {
|
|
page = 1
|
|
}
|
|
perPage, _ := strconv.Atoi(q.Get("per_page"))
|
|
if perPage < 1 || perPage > 500 {
|
|
perPage = 50
|
|
}
|
|
|
|
filter := &repository.ApprovalFilter{
|
|
State: q.Get("state"),
|
|
CertificateID: q.Get("certificate_id"),
|
|
RequestedBy: q.Get("requested_by"),
|
|
Page: page,
|
|
PerPage: perPage,
|
|
}
|
|
results, err := h.svc.List(r.Context(), filter)
|
|
if err != nil {
|
|
ErrorWithRequestID(w, http.StatusInternalServerError, "Failed to list approval requests", requestID)
|
|
return
|
|
}
|
|
JSON(w, http.StatusOK, map[string]interface{}{
|
|
"data": results,
|
|
"page": page,
|
|
"per_page": perPage,
|
|
})
|
|
}
|
|
|
|
// GetApproval returns a single approval request by ID.
|
|
//
|
|
// GET /api/v1/approvals/{id}
|
|
func (h ApprovalHandler) GetApproval(w http.ResponseWriter, r *http.Request) {
|
|
if r.Method != http.MethodGet {
|
|
Error(w, http.StatusMethodNotAllowed, "Method not allowed")
|
|
return
|
|
}
|
|
requestID := middleware.GetRequestID(r.Context())
|
|
id := r.PathValue("id")
|
|
if id == "" {
|
|
ErrorWithRequestID(w, http.StatusBadRequest, "id required", requestID)
|
|
return
|
|
}
|
|
req, err := h.svc.Get(r.Context(), id)
|
|
if err != nil {
|
|
if errors.Is(err, service.ErrApprovalNotFound) {
|
|
ErrorWithRequestID(w, http.StatusNotFound, "approval request not found", requestID)
|
|
return
|
|
}
|
|
ErrorWithRequestID(w, http.StatusInternalServerError, "Failed to get approval request", requestID)
|
|
return
|
|
}
|
|
JSON(w, http.StatusOK, req)
|
|
}
|
|
|
|
// Approve transitions a pending approval request to approved + transitions
|
|
// the linked Job from AwaitingApproval to Pending. RBAC: the authenticated
|
|
// actor extracted via auth.UserKey must NOT equal the request's
|
|
// RequestedBy — the service-layer check enforces this and the handler
|
|
// surfaces it as HTTP 403.
|
|
//
|
|
// POST /api/v1/approvals/{id}/approve
|
|
// Body: {"note": "approved per ticket SECOPS-12345"} (optional)
|
|
func (h ApprovalHandler) Approve(w http.ResponseWriter, r *http.Request) {
|
|
h.decision(w, r, decisionApprove)
|
|
}
|
|
|
|
// Reject transitions a pending approval request to rejected + cancels
|
|
// the linked Job. Same RBAC contract as Approve.
|
|
//
|
|
// POST /api/v1/approvals/{id}/reject
|
|
// Body: {"note": "rejected: not on business-justification list"} (optional)
|
|
func (h ApprovalHandler) Reject(w http.ResponseWriter, r *http.Request) {
|
|
h.decision(w, r, decisionReject)
|
|
}
|
|
|
|
type decisionAction int
|
|
|
|
const (
|
|
decisionApprove decisionAction = iota
|
|
decisionReject
|
|
)
|
|
|
|
func (h ApprovalHandler) decision(w http.ResponseWriter, r *http.Request, action decisionAction) {
|
|
if r.Method != http.MethodPost {
|
|
Error(w, http.StatusMethodNotAllowed, "Method not allowed")
|
|
return
|
|
}
|
|
requestID := middleware.GetRequestID(r.Context())
|
|
|
|
id := r.PathValue("id")
|
|
if id == "" {
|
|
ErrorWithRequestID(w, http.StatusBadRequest, "id required", requestID)
|
|
return
|
|
}
|
|
|
|
// Extract authenticated actor. The auth middleware sets UserKey to the
|
|
// API-key NamedAPIKey.Name (or empty for unauthenticated). RBAC at the
|
|
// service layer requires a non-empty actor.
|
|
actor, _ := r.Context().Value(auth.UserKey{}).(string)
|
|
if actor == "" {
|
|
ErrorWithRequestID(w, http.StatusUnauthorized,
|
|
"authentication required to approve / reject", requestID)
|
|
return
|
|
}
|
|
|
|
body := approvalDecisionBody{}
|
|
if r.Body != nil && r.ContentLength > 0 {
|
|
if err := json.NewDecoder(r.Body).Decode(&body); err != nil {
|
|
ErrorWithRequestID(w, http.StatusBadRequest,
|
|
"invalid JSON body", requestID)
|
|
return
|
|
}
|
|
}
|
|
|
|
var err error
|
|
switch action {
|
|
case decisionApprove:
|
|
err = h.svc.Approve(r.Context(), id, actor, body.Note)
|
|
case decisionReject:
|
|
err = h.svc.Reject(r.Context(), id, actor, body.Note)
|
|
}
|
|
if err != nil {
|
|
switch {
|
|
case errors.Is(err, service.ErrApprovalNotFound):
|
|
ErrorWithRequestID(w, http.StatusNotFound, err.Error(), requestID)
|
|
case errors.Is(err, service.ErrApprovalAlreadyDecided):
|
|
ErrorWithRequestID(w, http.StatusConflict, err.Error(), requestID)
|
|
case errors.Is(err, service.ErrApproveBySameActor):
|
|
// The load-bearing two-person integrity contract surface.
|
|
// Compliance auditors expect this exact code path.
|
|
ErrorWithRequestID(w, http.StatusForbidden, err.Error(), requestID)
|
|
default:
|
|
ErrorWithRequestID(w, http.StatusInternalServerError,
|
|
"Failed to record decision", requestID)
|
|
}
|
|
return
|
|
}
|
|
|
|
JSON(w, http.StatusOK, map[string]interface{}{
|
|
"id": id,
|
|
"decided_by": actor,
|
|
"action": map[decisionAction]string{decisionApprove: "approved", decisionReject: "rejected"}[action],
|
|
})
|
|
}
|