mirror of
https://github.com/shankar0123/certctl.git
synced 2026-06-07 13:31:36 +00:00
shankar0123
bd54d5f7fa
Bundle 1 / Phase 2: ships PermissionService, RoleService, ActorRoleService, and the Authorizer primitive that Phase 3 RequirePermission middleware calls on every gated request.
Authorizer.CheckPermission semantics: a grant matches when (a) the permission name equals the requested permission AND (b) the grant is global-scoped OR the grant scope_type+scope_id exactly match the request. Global beats specific; per-resource grants widen the effective set rather than shadowing global. Hot-path query is one ActorRoleRepository.EffectivePermissions JOIN call (already shipped in Phase 1) plus an in-memory walk; Phase 12 will add benchmarks + caching if the JOIN cost shows up at scale.
Privilege-escalation guard: ActorRoleService.Grant and Revoke require the caller to hold auth.role.assign globally. Without it, ErrSelfRoleAssignment. System callers (AsSystemCaller()) bypass the check; bootstrap, migrations, scheduler-initiated grants use this path. Reserved actor actor-demo-anon is rejected on Grant + Revoke so the demo path stays alive even after a misclick (ErrAuthReservedActor).
Caller abstraction: every service entry point takes *Caller (ActorID, ActorType, TenantID, IsSystem). CallerFromContext is a stub returning ErrUnauthenticated; Phase 3 wires the middleware-context bridge that fills the Caller from request context. The contract is pinned by TestCallerFromContext_Phase2ReturnsUnauthenticated so the Phase 3 upgrade is observable.
Audit recording: every mutating service operation calls AuditService.RecordEvent. Bundle 1 Phase 8 adds the event_category column + parameter and back-fills 'auth' for these calls; until then the rows go in with the default category.
Test coverage: in-memory fakeRoleRepo / fakePermissionRepo / fakeActorRoleRepo / fakeAudit pin the privilege-escalation invariants (ErrUnauthenticated for nil caller, ErrForbidden for missing perm, ErrInvalidPermission for non-canonical permission name, ErrSelfRoleAssignment for Grant without auth.role.assign, ErrAuthReservedActor for actor-demo-anon mutations, system-caller bypass) without requiring testcontainers. Phase 12 will add live-Postgres integration coverage.
Branch: dev/auth-bundle-1. Phase 1 was 19497ee (RBAC schema + repo). Phase 3 (middleware integration) is the next commit on this branch.
205 lines
6.7 KiB
Go
205 lines
6.7 KiB
Go
package auth
|
|
|
|
import (
|
|
"context"
|
|
"fmt"
|
|
|
|
"github.com/certctl-io/certctl/internal/domain"
|
|
authdomain "github.com/certctl-io/certctl/internal/domain/auth"
|
|
"github.com/certctl-io/certctl/internal/repository"
|
|
)
|
|
|
|
// RoleService manages roles + role-permission grants.
|
|
type RoleService struct {
|
|
repo repository.RoleRepository
|
|
permRepo repository.PermissionRepository
|
|
authorizer *Authorizer
|
|
audit AuditService
|
|
}
|
|
|
|
// NewRoleService constructs a RoleService.
|
|
func NewRoleService(repo repository.RoleRepository, permRepo repository.PermissionRepository, authorizer *Authorizer, audit AuditService) *RoleService {
|
|
return &RoleService{
|
|
repo: repo,
|
|
permRepo: permRepo,
|
|
authorizer: authorizer,
|
|
audit: audit,
|
|
}
|
|
}
|
|
|
|
// List returns every role in the caller's tenant. Requires
|
|
// `auth.role.list`.
|
|
func (s *RoleService) List(ctx context.Context, caller *Caller) ([]*authdomain.Role, error) {
|
|
if err := s.requirePermission(ctx, caller, "auth.role.list"); err != nil {
|
|
return nil, err
|
|
}
|
|
tenantID := caller.TenantID
|
|
if tenantID == "" {
|
|
tenantID = authdomain.DefaultTenantID
|
|
}
|
|
return s.repo.List(ctx, tenantID)
|
|
}
|
|
|
|
// Get returns the role with the given ID. Requires `auth.role.list`.
|
|
func (s *RoleService) Get(ctx context.Context, caller *Caller, id string) (*authdomain.Role, error) {
|
|
if err := s.requirePermission(ctx, caller, "auth.role.list"); err != nil {
|
|
return nil, err
|
|
}
|
|
return s.repo.Get(ctx, id)
|
|
}
|
|
|
|
// Create stores a new role. Requires `auth.role.create`.
|
|
func (s *RoleService) Create(ctx context.Context, caller *Caller, role *authdomain.Role) error {
|
|
if err := s.requirePermission(ctx, caller, "auth.role.create"); err != nil {
|
|
return err
|
|
}
|
|
if role.TenantID == "" {
|
|
role.TenantID = authdomain.DefaultTenantID
|
|
}
|
|
if err := s.repo.Create(ctx, role); err != nil {
|
|
return err
|
|
}
|
|
s.recordAudit(ctx, caller, "role.create", "role", role.ID, map[string]interface{}{"name": role.Name, "tenant_id": role.TenantID})
|
|
return nil
|
|
}
|
|
|
|
// Update modifies an existing role. Requires `auth.role.edit`.
|
|
func (s *RoleService) Update(ctx context.Context, caller *Caller, role *authdomain.Role) error {
|
|
if err := s.requirePermission(ctx, caller, "auth.role.edit"); err != nil {
|
|
return err
|
|
}
|
|
if err := s.repo.Update(ctx, role); err != nil {
|
|
return err
|
|
}
|
|
s.recordAudit(ctx, caller, "role.update", "role", role.ID, map[string]interface{}{"name": role.Name})
|
|
return nil
|
|
}
|
|
|
|
// Delete removes a role. Requires `auth.role.delete`. Returns
|
|
// repository.ErrAuthRoleInUse when active actor_roles still reference
|
|
// the role (FK ON DELETE RESTRICT).
|
|
func (s *RoleService) Delete(ctx context.Context, caller *Caller, id string) error {
|
|
if err := s.requirePermission(ctx, caller, "auth.role.delete"); err != nil {
|
|
return err
|
|
}
|
|
if err := s.repo.Delete(ctx, id); err != nil {
|
|
return err
|
|
}
|
|
s.recordAudit(ctx, caller, "role.delete", "role", id, nil)
|
|
return nil
|
|
}
|
|
|
|
// ListPermissions returns the (permission, scope) grants on the role.
|
|
// Requires `auth.role.list`.
|
|
func (s *RoleService) ListPermissions(ctx context.Context, caller *Caller, roleID string) ([]*authdomain.RolePermission, error) {
|
|
if err := s.requirePermission(ctx, caller, "auth.role.list"); err != nil {
|
|
return nil, err
|
|
}
|
|
return s.repo.ListPermissions(ctx, roleID)
|
|
}
|
|
|
|
// AddPermission grants a permission to a role at the given scope.
|
|
// Requires `auth.role.edit`. Returns ErrInvalidPermission if the
|
|
// permission name is not in the canonical catalogue.
|
|
func (s *RoleService) AddPermission(ctx context.Context, caller *Caller, roleID, permissionName string, scopeType authdomain.ScopeType, scopeID *string) error {
|
|
if err := s.requirePermission(ctx, caller, "auth.role.edit"); err != nil {
|
|
return err
|
|
}
|
|
if !s.permRepo.IsCanonical(permissionName) {
|
|
return fmt.Errorf("%w: %q", ErrInvalidPermission, permissionName)
|
|
}
|
|
perm, err := s.permRepo.GetByName(ctx, permissionName)
|
|
if err != nil {
|
|
return err
|
|
}
|
|
grant := &authdomain.RolePermission{
|
|
RoleID: roleID,
|
|
PermissionID: perm.ID,
|
|
ScopeType: scopeType,
|
|
ScopeID: scopeID,
|
|
}
|
|
if err := s.repo.AddPermission(ctx, grant); err != nil {
|
|
return err
|
|
}
|
|
details := map[string]interface{}{
|
|
"role_id": roleID,
|
|
"permission": permissionName,
|
|
"scope_type": string(scopeType),
|
|
}
|
|
if scopeID != nil {
|
|
details["scope_id"] = *scopeID
|
|
}
|
|
s.recordAudit(ctx, caller, "role.permission.add", "role", roleID, details)
|
|
return nil
|
|
}
|
|
|
|
// RemovePermission revokes a previously-granted permission from a role.
|
|
// Requires `auth.role.edit`.
|
|
func (s *RoleService) RemovePermission(ctx context.Context, caller *Caller, roleID, permissionName string, scopeType authdomain.ScopeType, scopeID *string) error {
|
|
if err := s.requirePermission(ctx, caller, "auth.role.edit"); err != nil {
|
|
return err
|
|
}
|
|
perm, err := s.permRepo.GetByName(ctx, permissionName)
|
|
if err != nil {
|
|
return err
|
|
}
|
|
grant := &authdomain.RolePermission{
|
|
RoleID: roleID,
|
|
PermissionID: perm.ID,
|
|
ScopeType: scopeType,
|
|
ScopeID: scopeID,
|
|
}
|
|
if err := s.repo.RemovePermission(ctx, grant); err != nil {
|
|
return err
|
|
}
|
|
details := map[string]interface{}{
|
|
"role_id": roleID,
|
|
"permission": permissionName,
|
|
"scope_type": string(scopeType),
|
|
}
|
|
if scopeID != nil {
|
|
details["scope_id"] = *scopeID
|
|
}
|
|
s.recordAudit(ctx, caller, "role.permission.remove", "role", roleID, details)
|
|
return nil
|
|
}
|
|
|
|
// requirePermission is the gate every public method runs first. System
|
|
// callers bypass; everyone else must hold the named permission globally.
|
|
// Returns ErrUnauthenticated when caller is nil, ErrForbidden when the
|
|
// caller exists but lacks the permission.
|
|
func (s *RoleService) requirePermission(ctx context.Context, caller *Caller, perm string) error {
|
|
if caller == nil {
|
|
return ErrUnauthenticated
|
|
}
|
|
if caller.IsSystem {
|
|
return nil
|
|
}
|
|
tenantID := caller.TenantID
|
|
if tenantID == "" {
|
|
tenantID = authdomain.DefaultTenantID
|
|
}
|
|
ok, err := s.authorizer.CheckPermission(ctx, caller.ActorID, authdomain.ActorTypeValue(caller.ActorType), tenantID, perm, authdomain.ScopeTypeGlobal, nil)
|
|
if err != nil {
|
|
return err
|
|
}
|
|
if !ok {
|
|
return fmt.Errorf("%w: %q", ErrForbidden, perm)
|
|
}
|
|
return nil
|
|
}
|
|
|
|
// recordAudit emits an audit row tied to the caller. Best-effort: audit
|
|
// failures are logged via panic-recover but do not fail the operation.
|
|
func (s *RoleService) recordAudit(ctx context.Context, caller *Caller, action, resourceType, resourceID string, details map[string]interface{}) {
|
|
if s.audit == nil || caller == nil {
|
|
return
|
|
}
|
|
_ = s.audit.RecordEvent(ctx, caller.ActorID, caller.ActorType, action, resourceType, resourceID, details)
|
|
}
|
|
|
|
// Ensure the compile-time pin: domain.ActorType is convertible to
|
|
// authdomain.ActorTypeValue via string equality. If the underlying
|
|
// types ever diverge this won't compile.
|
|
var _ authdomain.ActorTypeValue = authdomain.ActorTypeValue(domain.ActorTypeAPIKey)
|