gsadmin/certctl
1
0
Fork 0
mirror of https://github.com/shankar0123/certctl.git synced 2026-06-07 15:01:32 +00:00
Code Issues Packages Projects Releases Wiki Activity
Files
bd54d5f7fa96845981d6ccd7f2515ec859e54510
certctl/internal/service/auth/actor_role_service.go
T
shankar0123 bd54d5f7fa auth-bundle-1 Phase 2: RBAC service layer + Authorizer primitive 
Bundle 1 / Phase 2: ships PermissionService, RoleService, ActorRoleService, and the Authorizer primitive that Phase 3 RequirePermission middleware calls on every gated request.

Authorizer.CheckPermission semantics: a grant matches when (a) the permission name equals the requested permission AND (b) the grant is global-scoped OR the grant scope_type+scope_id exactly match the request. Global beats specific; per-resource grants widen the effective set rather than shadowing global. Hot-path query is one ActorRoleRepository.EffectivePermissions JOIN call (already shipped in Phase 1) plus an in-memory walk; Phase 12 will add benchmarks + caching if the JOIN cost shows up at scale.

Privilege-escalation guard: ActorRoleService.Grant and Revoke require the caller to hold auth.role.assign globally. Without it, ErrSelfRoleAssignment. System callers (AsSystemCaller()) bypass the check; bootstrap, migrations, scheduler-initiated grants use this path. Reserved actor actor-demo-anon is rejected on Grant + Revoke so the demo path stays alive even after a misclick (ErrAuthReservedActor).

Caller abstraction: every service entry point takes *Caller (ActorID, ActorType, TenantID, IsSystem). CallerFromContext is a stub returning ErrUnauthenticated; Phase 3 wires the middleware-context bridge that fills the Caller from request context. The contract is pinned by TestCallerFromContext_Phase2ReturnsUnauthenticated so the Phase 3 upgrade is observable.

Audit recording: every mutating service operation calls AuditService.RecordEvent. Bundle 1 Phase 8 adds the event_category column + parameter and back-fills 'auth' for these calls; until then the rows go in with the default category.

Test coverage: in-memory fakeRoleRepo / fakePermissionRepo / fakeActorRoleRepo / fakeAudit pin the privilege-escalation invariants (ErrUnauthenticated for nil caller, ErrForbidden for missing perm, ErrInvalidPermission for non-canonical permission name, ErrSelfRoleAssignment for Grant without auth.role.assign, ErrAuthReservedActor for actor-demo-anon mutations, system-caller bypass) without requiring testcontainers. Phase 12 will add live-Postgres integration coverage.

Branch: dev/auth-bundle-1. Phase 1 was 19497ee (RBAC schema + repo). Phase 3 (middleware integration) is the next commit on this branch.
2026-05-09 16:20:04 +00:00

153 lines
5.4 KiB
Go
Raw Blame History

package auth
import (
"context"
"fmt"
"github.com/certctl-io/certctl/internal/domain"
authdomain "github.com/certctl-io/certctl/internal/domain/auth"
"github.com/certctl-io/certctl/internal/repository"
)
// ActorRoleService grants / revokes roles to actors and exposes the
// effective-permissions query the Phase 3 middleware uses on the hot
// path.
type ActorRoleService struct {
repo repository.ActorRoleRepository
roleRepo repository.RoleRepository
authorizer *Authorizer
audit AuditService
}
// NewActorRoleService constructs an ActorRoleService.
func NewActorRoleService(
repo repository.ActorRoleRepository,
roleRepo repository.RoleRepository,
authorizer *Authorizer,
audit AuditService,
) *ActorRoleService {
return &ActorRoleService{
repo: repo,
roleRepo: roleRepo,
authorizer: authorizer,
audit: audit,
}
}
// Grant assigns a role to an actor. Privilege-escalation guard: the
// caller must hold `auth.role.assign` (globally). System callers
// bypass. Reserved actor `actor-demo-anon` is rejected.
func (s *ActorRoleService) Grant(ctx context.Context, caller *Caller, ar *authdomain.ActorRole) error {
if caller == nil {
return ErrUnauthenticated
}
if !caller.IsSystem {
ok, err := s.authorizer.HoldsAnyOf(ctx, caller.ActorID, authdomain.ActorTypeValue(caller.ActorType), s.tenantOf(caller), "auth.role.assign")
if err != nil {
return err
}
if !ok {
return fmt.Errorf("%w: auth.role.assign required", ErrSelfRoleAssignment)
}
}
if ar.ActorID == authdomain.DemoAnonActorID {
return fmt.Errorf("%w: actor-demo-anon is reserved", repository.ErrAuthReservedActor)
}
if ar.TenantID == "" {
ar.TenantID = authdomain.DefaultTenantID
}
if err := s.repo.Grant(ctx, ar); err != nil {
return err
}
s.recordAudit(ctx, caller, "actor_role.grant", "actor_role", ar.ID, map[string]interface{}{
"actor_id": ar.ActorID,
"actor_type": string(ar.ActorType),
"role_id": ar.RoleID,
})
return nil
}
// Revoke removes a previously-granted role from an actor. Same
// privilege guard as Grant: caller needs `auth.role.assign` to mutate
// role membership. Reserved actor `actor-demo-anon` is rejected so the
// demo path stays alive even after a misclick.
func (s *ActorRoleService) Revoke(ctx context.Context, caller *Caller, actorID string, actorType domain.ActorType, roleID string) error {
if caller == nil {
return ErrUnauthenticated
}
if !caller.IsSystem {
ok, err := s.authorizer.HoldsAnyOf(ctx, caller.ActorID, authdomain.ActorTypeValue(caller.ActorType), s.tenantOf(caller), "auth.role.assign")
if err != nil {
return err
}
if !ok {
return fmt.Errorf("%w: auth.role.assign required", ErrSelfRoleAssignment)
}
}
if actorID == authdomain.DemoAnonActorID {
return fmt.Errorf("%w: actor-demo-anon is reserved", repository.ErrAuthReservedActor)
}
tenantID := s.tenantOf(caller)
if err := s.repo.Revoke(ctx, actorID, authdomain.ActorTypeValue(actorType), roleID, tenantID); err != nil {
return err
}
s.recordAudit(ctx, caller, "actor_role.revoke", "actor_role", roleID, map[string]interface{}{
"actor_id": actorID,
"actor_type": string(actorType),
"role_id": roleID,
})
return nil
}
// ListForActor returns the roles held by the named actor.
func (s *ActorRoleService) ListForActor(ctx context.Context, caller *Caller, actorID string, actorType domain.ActorType) ([]*authdomain.ActorRole, error) {
if caller == nil {
return nil, ErrUnauthenticated
}
if !caller.IsSystem && caller.ActorID != actorID {
ok, err := s.authorizer.HoldsAnyOf(ctx, caller.ActorID, authdomain.ActorTypeValue(caller.ActorType), s.tenantOf(caller), "auth.role.list")
if err != nil {
return nil, err
}
if !ok {
return nil, fmt.Errorf("%w: auth.role.list required to view another actor's roles", ErrForbidden)
}
}
return s.repo.ListByActor(ctx, actorID, authdomain.ActorTypeValue(actorType), s.tenantOf(caller))
}
// EffectivePermissions returns the deduplicated (permission, scope)
// pairs granted to the actor across all roles. Phase 3 middleware
// (auth.RequirePermission) calls this on every gated request via the
// Authorizer; that hot path skips RBAC self-checks. The service-level
// method here is for handler / GUI callers (the /v1/auth/me endpoint).
func (s *ActorRoleService) EffectivePermissions(ctx context.Context, caller *Caller, actorID string, actorType domain.ActorType) ([]repository.EffectivePermission, error) {
if caller == nil {
return nil, ErrUnauthenticated
}
if !caller.IsSystem && caller.ActorID != actorID {
ok, err := s.authorizer.HoldsAnyOf(ctx, caller.ActorID, authdomain.ActorTypeValue(caller.ActorType), s.tenantOf(caller), "auth.role.list")
if err != nil {
return nil, err
}
if !ok {
return nil, fmt.Errorf("%w: auth.role.list required to view another actor's permissions", ErrForbidden)
}
}
return s.repo.EffectivePermissions(ctx, actorID, authdomain.ActorTypeValue(actorType), s.tenantOf(caller))
}
func (s *ActorRoleService) tenantOf(caller *Caller) string {
if caller != nil && caller.TenantID != "" {
return caller.TenantID
}
return authdomain.DefaultTenantID
}
func (s *ActorRoleService) recordAudit(ctx context.Context, caller *Caller, action, resourceType, resourceID string, details map[string]interface{}) {
if s.audit == nil || caller == nil {
return
}
_ = s.audit.RecordEvent(ctx, caller.ActorID, caller.ActorType, action, resourceType, resourceID, details)
}
Reference in New Issue View Git Blame Copy Permalink