kyle/mcias
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

Add PG creds + policy/tags UI; fix lint and build

Browse Source 
- internal/ui/ui.go: add PGCred, Tags to AccountDetailData; register
  PUT /accounts/{id}/pgcreds and PUT /accounts/{id}/tags routes; add
  pgcreds_form.html and tags_editor.html to shared template set; remove
  unused AccountTagsData; fix fieldalignment on PolicyRuleView, PoliciesData
- internal/ui/handlers_accounts.go: add handleSetPGCreds — encrypts
  password via crypto.SealAESGCM, writes audit EventPGCredUpdated, renders
  pgcreds_form fragment; password never echoed; load PG creds and tags in
  handleAccountDetail
- internal/ui/handlers_policy.go: fix handleSetAccountTags to render with
  AccountDetailData instead of removed AccountTagsData
- internal/ui/ui_test.go: add 5 PG credential UI tests
- web/templates/fragments/pgcreds_form.html: new fragment — metadata display
  + set/replace form; system accounts only; password write-only
- web/templates/fragments/tags_editor.html: new fragment — textarea editor
  with HTMX PUT for atomic tag replacement
- web/templates/fragments/policy_form.html: rewrite to use structured fields
  matching handleCreatePolicyRule (roles/account_types/actions multi-select,
  resource_type, subject_uuid, service_names, required_tags, checkbox)
- web/templates/policies.html: new policies management page
- web/templates/fragments/policy_row.html: new HTMX table row with toggle
  and delete
- web/templates/account_detail.html: add Tags card and PG Credentials card
- web/templates/base.html: add Policies nav link
- internal/server/server.go: remove ~220 lines of duplicate tag/policy
  handler code (real implementations are in handlers_policy.go)
- internal/policy/engine_wrapper.go: fix corrupted source; use errors.New
- internal/db/policy_test.go: use model.AccountTypeHuman constant
- cmd/mciasctl/main.go: add nolint:gosec to int(os.Stdin.Fd()) calls
- gofmt/goimports: db/policy_test.go, policy/defaults.go,
  policy/engine_test.go, ui/ui.go, cmd/mciasctl/main.go
- fieldalignment: model.PolicyRuleRecord, policy.Engine, policy.Rule,
  policy.RuleBody, ui.PolicyRuleView
Security: PG password encrypted AES-256-GCM with fresh random nonce before
storage; plaintext never logged or returned in any response; audit event
written on every credential write.
This commit is contained in:
Kyle Isom
2026-03-11 23:24:03 -07:00
parent 5a8698e199
commit 052d3ed1b8
27 changed files with 3609 additions and 10 deletions
Download Patch File Download Diff File Expand all files Collapse all files

219
cmd/mciasctl/main.go
View File

@@ -1,7 +1,8 @@
// Command mciasctl is the MCIAS admin CLI.
//
// It connects to a running mciassrv instance and provides subcommands for
// managing accounts, roles, tokens, and Postgres credentials.
// managing accounts, roles, tokens, Postgres credentials, policy rules, and
// account tags.
//
// Usage:
//
@@ -31,6 +32,15 @@
//
// pgcreds set -id UUID -host HOST [-port PORT] -db DB -user USER [-password PASS]
// pgcreds get -id UUID
//
// policy list
// policy create -description STR -json FILE [-priority N]
// policy get -id ID
// policy update -id ID [-priority N] [-enabled true|false]
// policy delete -id ID
//
// tag list -id UUID
// tag set -id UUID -tags tag1,tag2,...
package main
import (
@@ -93,6 +103,10 @@ func main() {
ctl.runToken(subArgs)
case "pgcreds":
ctl.runPGCreds(subArgs)
case "policy":
ctl.runPolicy(subArgs)
case "tag":
ctl.runTag(subArgs)
default:
fatalf("unknown command %q; run with no args to see usage", command)
}
@@ -143,8 +157,8 @@ func (c *controller) authLogin(args []string) {
passwd := *password
if passwd == "" {
fmt.Fprint(os.Stderr, "Password: ")
raw, err := term.ReadPassword(int(os.Stdin.Fd()))
fmt.Fprintln(os.Stderr) // newline after hidden input
raw, err := term.ReadPassword(int(os.Stdin.Fd())) //nolint:gosec // uintptr==int on all target platforms
fmt.Fprintln(os.Stderr) // newline after hidden input
if err != nil {
fatalf("read password: %v", err)
}
@@ -223,7 +237,7 @@ func (c *controller) accountCreate(args []string) {
passwd := *password
if passwd == "" && *accountType == "human" {
fmt.Fprint(os.Stderr, "Password: ")
raw, err := term.ReadPassword(int(os.Stdin.Fd()))
raw, err := term.ReadPassword(int(os.Stdin.Fd())) //nolint:gosec // uintptr==int on all target platforms
fmt.Fprintln(os.Stderr)
if err != nil {
fatalf("read password: %v", err)
@@ -442,7 +456,7 @@ func (c *controller) pgCredsSet(args []string) {
passwd := *password
if passwd == "" {
fmt.Fprint(os.Stderr, "Postgres password: ")
raw, err := term.ReadPassword(int(os.Stdin.Fd()))
raw, err := term.ReadPassword(int(os.Stdin.Fd())) //nolint:gosec // uintptr==int on all target platforms
fmt.Fprintln(os.Stderr)
if err != nil {
fatalf("read password: %v", err)
@@ -464,6 +478,189 @@ func (c *controller) pgCredsSet(args []string) {
fmt.Println("credentials stored")
}
// ---- policy subcommands ----
func (c *controller) runPolicy(args []string) {
if len(args) == 0 {
fatalf("policy requires a subcommand: list, create, get, update, delete")
}
switch args[0] {
case "list":
c.policyList()
case "create":
c.policyCreate(args[1:])
case "get":
c.policyGet(args[1:])
case "update":
c.policyUpdate(args[1:])
case "delete":
c.policyDelete(args[1:])
default:
fatalf("unknown policy subcommand %q", args[0])
}
}
func (c *controller) policyList() {
var result json.RawMessage
c.doRequest("GET", "/v1/policy/rules", nil, &result)
printJSON(result)
}
func (c *controller) policyCreate(args []string) {
fs := flag.NewFlagSet("policy create", flag.ExitOnError)
description := fs.String("description", "", "rule description (required)")
jsonFile := fs.String("json", "", "path to JSON file containing the rule body (required)")
priority := fs.Int("priority", 100, "rule priority (lower = evaluated first)")
_ = fs.Parse(args)
if *description == "" {
fatalf("policy create: -description is required")
}
if *jsonFile == "" {
fatalf("policy create: -json is required (path to rule body JSON file)")
}
// G304: path comes from a CLI flag supplied by the operator.
ruleBytes, err := os.ReadFile(*jsonFile) //nolint:gosec
if err != nil {
fatalf("policy create: read %s: %v", *jsonFile, err)
}
// Validate that the file contains valid JSON before sending.
var ruleBody json.RawMessage
if err := json.Unmarshal(ruleBytes, &ruleBody); err != nil {
fatalf("policy create: invalid JSON in %s: %v", *jsonFile, err)
}
body := map[string]interface{}{
"description": *description,
"priority": *priority,
"rule": ruleBody,
}
var result json.RawMessage
c.doRequest("POST", "/v1/policy/rules", body, &result)
printJSON(result)
}
func (c *controller) policyGet(args []string) {
fs := flag.NewFlagSet("policy get", flag.ExitOnError)
id := fs.String("id", "", "rule ID (required)")
_ = fs.Parse(args)
if *id == "" {
fatalf("policy get: -id is required")
}
var result json.RawMessage
c.doRequest("GET", "/v1/policy/rules/"+*id, nil, &result)
printJSON(result)
}
func (c *controller) policyUpdate(args []string) {
fs := flag.NewFlagSet("policy update", flag.ExitOnError)
id := fs.String("id", "", "rule ID (required)")
priority := fs.Int("priority", -1, "new priority (-1 = no change)")
enabled := fs.String("enabled", "", "true or false")
_ = fs.Parse(args)
if *id == "" {
fatalf("policy update: -id is required")
}
body := map[string]interface{}{}
if *priority >= 0 {
body["priority"] = *priority
}
if *enabled != "" {
switch *enabled {
case "true":
b := true
body["enabled"] = b
case "false":
b := false
body["enabled"] = b
default:
fatalf("policy update: -enabled must be true or false")
}
}
if len(body) == 0 {
fatalf("policy update: at least one of -priority or -enabled is required")
}
var result json.RawMessage
c.doRequest("PATCH", "/v1/policy/rules/"+*id, body, &result)
printJSON(result)
}
func (c *controller) policyDelete(args []string) {
fs := flag.NewFlagSet("policy delete", flag.ExitOnError)
id := fs.String("id", "", "rule ID (required)")
_ = fs.Parse(args)
if *id == "" {
fatalf("policy delete: -id is required")
}
c.doRequest("DELETE", "/v1/policy/rules/"+*id, nil, nil)
fmt.Println("policy rule deleted")
}
// ---- tag subcommands ----
func (c *controller) runTag(args []string) {
if len(args) == 0 {
fatalf("tag requires a subcommand: list, set")
}
switch args[0] {
case "list":
c.tagList(args[1:])
case "set":
c.tagSet(args[1:])
default:
fatalf("unknown tag subcommand %q", args[0])
}
}
func (c *controller) tagList(args []string) {
fs := flag.NewFlagSet("tag list", flag.ExitOnError)
id := fs.String("id", "", "account UUID (required)")
_ = fs.Parse(args)
if *id == "" {
fatalf("tag list: -id is required")
}
var result json.RawMessage
c.doRequest("GET", "/v1/accounts/"+*id+"/tags", nil, &result)
printJSON(result)
}
func (c *controller) tagSet(args []string) {
fs := flag.NewFlagSet("tag set", flag.ExitOnError)
id := fs.String("id", "", "account UUID (required)")
tagsFlag := fs.String("tags", "", "comma-separated list of tags (empty string clears all tags)")
_ = fs.Parse(args)
if *id == "" {
fatalf("tag set: -id is required")
}
tags := []string{}
if *tagsFlag != "" {
for _, t := range strings.Split(*tagsFlag, ",") {
t = strings.TrimSpace(t)
if t != "" {
tags = append(tags, t)
}
}
}
body := map[string][]string{"tags": tags}
c.doRequest("PUT", "/v1/accounts/"+*id+"/tags", body, nil)
fmt.Printf("tags set: %v\n", tags)
}
// ---- HTTP helpers ----
// doRequest performs an authenticated JSON HTTP request. If result is non-nil,
@@ -588,5 +785,17 @@ Commands:
pgcreds get -id UUID
pgcreds set -id UUID -host HOST [-port PORT] -db DB -user USER [-password PASS]
policy list
policy create -description STR -json FILE [-priority N]
FILE must contain a JSON rule body, e.g.:
{"effect":"allow","actions":["pgcreds:read"],"resource_type":"pgcreds","owner_matches_subject":true}
policy get -id ID
policy update -id ID [-priority N] [-enabled true|false]
policy delete -id ID
tag list -id UUID
tag set -id UUID -tags tag1,tag2,...
Pass empty -tags "" to clear all tags.
`)
}