mirror of
https://github.com/shankar0123/certctl.git
synced 2026-06-07 22:21:30 +00:00
shankar0123
3ef45e2ad4
# Phase 6 — day-0 admin bootstrap * internal/auth/bootstrap/ (new package): Strategy interface + EnvTokenStrategy with constant-time compare, one-shot consumption via sync.Mutex, optional admin-existence probe. Bundle 2's OIDC- first-admin will plug in alongside as an alternate Strategy. * BootstrapService.ValidateAndMint: validates the operator's CERTCTL_BOOTSTRAP_TOKEN, mints a 32-byte (64-hex-char) random API key value, persists the SHA-256 hash to api_keys, grants r-admin via actor_roles, AddHashed's the runtime keystore so the just- minted key authenticates the next request without restart, and records bootstrap.consume to the audit trail with category=auth. * internal/auth/keystore.go (new): KeyStore interface + StaticKeyStore (immutable env-var-only path) + MutableKeyStore (env-var keys + DB-loaded api_keys + runtime AddHashed). The auth middleware now consumes a KeyStore so the bootstrap path can extend the lookup table at runtime. * migrations/000031_api_keys.up/down.sql: api_keys table with (id, name UNIQUE, key_hash UNIQUE, tenant_id, admin, created_by, created_at, expires_at, last_used_at). Idempotent. * /v1/auth/bootstrap GET (probe) + POST (mint) — auth-exempt. Both routes documented in api/openapi.yaml + AuthExemptRouterRoutes allowlist updated. The token never leaves internal/auth/bootstrap; the minted plaintext key flows only into the HTTP response body. * Startup warning emitted when CERTCTL_BOOTSTRAP_TOKEN is set AND admin actors already exist (config drift signal). * Tests: 4 strategy invariants (empty token born disabled, wrong token=ErrInvalidToken without consumption, one-shot consumption, admin-exists closes path), 5 service tests (happy path + actor- name validation + propagation of strategy errors + nil-deps guard + 32-byte entropy budget), 8 HTTP-handler tests (status 201/410/401/400 mapping + token-leak hygiene scan of slog + audit details + Location header). Token-leak test redirects slog.Default to a buffer for the test scope. # Phase 7 — API-key migration + scope-down CLI * GET /v1/auth/keys handler + service method ListKeys backed by ActorRoleRepository.ListDistinctActors. Returns one row per (actor_id, actor_type) pair with the slice of role IDs they hold. Permission: auth.role.list. * internal/cli/auth_scope_down.go: AuthListKeys, AuthScopeDown (interactive), AuthScopeDownNonInteractive (JSON config), AuthScopeDownSuggest (--suggest with optional --apply). The synthetic actor-demo-anon is filtered out of every interactive / bulk path; non-interactive flow logs and skips it explicitly. * SuggestRoleFromAuditEvents (pure function): walks 30 days of audit events per actor and returns the narrowest matching role (admin / mcp / viewer / agent / operator) plus a one-line reason. Classification: any admin-shaped action wins; otherwise all-MCP → mcp; all-read-only → viewer; all-agent-shaped → agent; otherwise operator. Test table pins all six classifications. * CLI subcommand tree extended: 'auth keys list' + 'auth keys scope-down [--non-interactive <cfg>] [--suggest [--apply]]'. * CHANGELOG.md leads v2.1.0 with the SECURITY: AUDIT YOUR API KEYS call-out + four flow examples. # Phase 8 — auditor role + event_category column * migrations/000032_audit_category.up/down.sql: ALTER TABLE audit_events ADD COLUMN event_category TEXT NOT NULL DEFAULT 'cert_lifecycle' + CHECK constraint (cert_lifecycle/auth/config) + (event_category) and (event_category, timestamp DESC) indexes for the auditor-filter query path. WORM trigger from migration 000018 continues to enforce append-only at the DB layer (DDL is not blocked). * domain.AuditEvent gains EventCategory string (omitempty); domain.EventCategoryCertLifecycle / Auth / Config constants. * AuditService.RecordEventWithCategory sibling of RecordEvent; legacy callers stay on RecordEvent (defaults to cert_lifecycle). Auth callers (RoleService, ActorRoleService, BootstrapService) switched to RecordEventWithCategory(..., 'auth', ...). * GET /v1/audit?category=<cat>: handler accepts the optional query param, validates against the enum (400 on invalid value), dispatches through ListAuditEventsByCategory. OpenAPI updated with the new query param + AuditEvent.event_category schema. * Postgres AuditRepository.Create now writes event_category; AuditRepository.List filters on it; AuditFilter.EventCategory gates the WHERE clause. * Tests: 5 audit-category-filter HTTP tests (dispatch routing, back-compat fallback, 400 for invalid values, all 3 enum values accepted, page+category combine, JSON output surfaces the field). 3 auditor-role invariants (auditor holds exactly audit.read+audit.export, no mutating perms, disjoint from viewer except audit.read). # Cross-phase wiring * HandlerRegistry.Bootstrap field added; cmd/server/main.go wires the bootstrap service ahead of RegisterHandlers (extracted assembleNamedAPIKeys helper into auth_backfill.go, moved the keystore + bootstrap construction up alongside the auth repos). * AuthCheckResolver / AuthActorRoleService extended with ListKeys to satisfy the Phase 7 surface; existing fakes updated. * fakeAudit + mockAuditService stubs in tests gain RecordEventWithCategory + ListAuditEventsByCategory; existing tests untouched. # Verifications * gofmt -l: clean across every modified file. * go vet ./...: clean. * staticcheck across internal/auth + handler + router + cli + service + repository + cmd + domain: clean. * go test -short -count=1: green across every Bundle-1-touched package — internal/auth (incl. bootstrap), internal/api/handler, internal/api/router, internal/cli, internal/service/auth, internal/service, internal/domain/auth, internal/repository/postgres, cmd/server, cmd/cli, plus internal/scheduler, internal/api/middleware, cmd/agent, internal/mcp.
128 lines
4.4 KiB
Go
128 lines
4.4 KiB
Go
package handler
|
|
|
|
import (
|
|
"encoding/json"
|
|
"errors"
|
|
"net/http"
|
|
"strings"
|
|
|
|
"github.com/certctl-io/certctl/internal/auth/bootstrap"
|
|
)
|
|
|
|
// BootstrapHandler exposes the Bundle 1 Phase 6 day-0 admin path.
|
|
//
|
|
// Threat model (from cowork/auth-bundle-1-prompt.md): the control
|
|
// plane comes up with no admin actors. The operator hands the
|
|
// CERTCTL_BOOTSTRAP_TOKEN to a single curl call; the server mints
|
|
// the first admin key and locks the door. No subsequent invocation
|
|
// can mint another admin via this path — the strategy state and the
|
|
// "admin already exists" probe both close it. After bootstrap the
|
|
// operator manages keys via /v1/auth/keys/...
|
|
//
|
|
// Handler shape:
|
|
//
|
|
// GET /v1/auth/bootstrap → 200 {available:true|false}
|
|
// POST /v1/auth/bootstrap → 201 {api_key, key_value, actor_id}
|
|
//
|
|
// The GET surface is intentionally probable from any caller; it
|
|
// returns availability (no token, no admin probe) so the GUI and the
|
|
// install one-liner can decide whether to render the bootstrap
|
|
// affordance. The POST surface requires the bootstrap token and
|
|
// returns the plaintext key value once.
|
|
type BootstrapHandler struct {
|
|
svc *bootstrap.Service
|
|
}
|
|
|
|
// NewBootstrapHandler constructs a BootstrapHandler. svc may be nil
|
|
// to disable both methods (handler returns 410 Gone on every call).
|
|
func NewBootstrapHandler(svc *bootstrap.Service) BootstrapHandler {
|
|
return BootstrapHandler{svc: svc}
|
|
}
|
|
|
|
type bootstrapAvailableResponse struct {
|
|
Available bool `json:"available"`
|
|
}
|
|
|
|
type bootstrapRequest struct {
|
|
Token string `json:"token"`
|
|
ActorName string `json:"actor_name"`
|
|
}
|
|
|
|
type bootstrapResponse struct {
|
|
ActorID string `json:"actor_id"`
|
|
APIKeyID string `json:"api_key_id"`
|
|
KeyValue string `json:"key_value"`
|
|
CreatedAt string `json:"created_at"`
|
|
Message string `json:"message"`
|
|
}
|
|
|
|
// Available is the GET probe. Returns {available: true} when the
|
|
// strategy is callable AND no admin actors exist; otherwise {available:
|
|
// false}. The endpoint never reveals the bootstrap token's existence
|
|
// independently of admin actor state — the GUI uses this to decide
|
|
// whether to render the "first-time setup" wizard.
|
|
func (h BootstrapHandler) Available(w http.ResponseWriter, r *http.Request) {
|
|
if r.Method != http.MethodGet {
|
|
Error(w, http.StatusMethodNotAllowed, "Method not allowed")
|
|
return
|
|
}
|
|
available := false
|
|
if h.svc != nil {
|
|
ok, err := h.svc.Available(r.Context())
|
|
if err == nil {
|
|
available = ok
|
|
}
|
|
}
|
|
JSON(w, http.StatusOK, bootstrapAvailableResponse{Available: available})
|
|
}
|
|
|
|
// Mint is the POST handler that consumes the token + creates the
|
|
// first admin key.
|
|
//
|
|
// Status mapping:
|
|
//
|
|
// 410 Gone → strategy disabled (no token, admin exists, or one-shot already consumed)
|
|
// 401 Unauthorized → token mismatch
|
|
// 400 Bad Request → invalid actor_name
|
|
// 201 Created → key minted; response carries the plaintext key value
|
|
func (h BootstrapHandler) Mint(w http.ResponseWriter, r *http.Request) {
|
|
if r.Method != http.MethodPost {
|
|
Error(w, http.StatusMethodNotAllowed, "Method not allowed")
|
|
return
|
|
}
|
|
if h.svc == nil {
|
|
// No service wired = endpoint disabled. Same status as the
|
|
// "already consumed" path so callers can't differentiate
|
|
// configuration from state.
|
|
Error(w, http.StatusGone, "bootstrap endpoint disabled")
|
|
return
|
|
}
|
|
var body bootstrapRequest
|
|
if err := json.NewDecoder(http.MaxBytesReader(w, r.Body, 4096)).Decode(&body); err != nil {
|
|
Error(w, http.StatusBadRequest, "Invalid JSON body")
|
|
return
|
|
}
|
|
body.ActorName = strings.TrimSpace(body.ActorName)
|
|
result, err := h.svc.ValidateAndMint(r.Context(), body.Token, body.ActorName)
|
|
if err != nil {
|
|
switch {
|
|
case errors.Is(err, bootstrap.ErrDisabled):
|
|
Error(w, http.StatusGone, "bootstrap endpoint disabled")
|
|
case errors.Is(err, bootstrap.ErrInvalidToken):
|
|
Error(w, http.StatusUnauthorized, "Invalid bootstrap token")
|
|
case errors.Is(err, bootstrap.ErrInvalidActorName):
|
|
Error(w, http.StatusBadRequest, "Invalid actor_name (3-64 chars, lowercase alnum + - + _)")
|
|
default:
|
|
Error(w, http.StatusInternalServerError, "Bootstrap failed")
|
|
}
|
|
return
|
|
}
|
|
JSON(w, http.StatusCreated, bootstrapResponse{
|
|
ActorID: result.APIKey.Name,
|
|
APIKeyID: result.APIKey.ID,
|
|
KeyValue: result.KeyValue,
|
|
CreatedAt: result.APIKey.CreatedAt.UTC().Format("2006-01-02T15:04:05Z07:00"),
|
|
Message: "Admin API key created. This is the only time the key value is shown — capture it now.",
|
|
})
|
|
}
|