Add PG creds + policy/tags UI; fix lint and build
- internal/ui/ui.go: add PGCred, Tags to AccountDetailData; register
PUT /accounts/{id}/pgcreds and PUT /accounts/{id}/tags routes; add
pgcreds_form.html and tags_editor.html to shared template set; remove
unused AccountTagsData; fix fieldalignment on PolicyRuleView, PoliciesData
- internal/ui/handlers_accounts.go: add handleSetPGCreds — encrypts
password via crypto.SealAESGCM, writes audit EventPGCredUpdated, renders
pgcreds_form fragment; password never echoed; load PG creds and tags in
handleAccountDetail
- internal/ui/handlers_policy.go: fix handleSetAccountTags to render with
AccountDetailData instead of removed AccountTagsData
- internal/ui/ui_test.go: add 5 PG credential UI tests
- web/templates/fragments/pgcreds_form.html: new fragment — metadata display
+ set/replace form; system accounts only; password write-only
- web/templates/fragments/tags_editor.html: new fragment — textarea editor
with HTMX PUT for atomic tag replacement
- web/templates/fragments/policy_form.html: rewrite to use structured fields
matching handleCreatePolicyRule (roles/account_types/actions multi-select,
resource_type, subject_uuid, service_names, required_tags, checkbox)
- web/templates/policies.html: new policies management page
- web/templates/fragments/policy_row.html: new HTMX table row with toggle
and delete
- web/templates/account_detail.html: add Tags card and PG Credentials card
- web/templates/base.html: add Policies nav link
- internal/server/server.go: remove ~220 lines of duplicate tag/policy
handler code (real implementations are in handlers_policy.go)
- internal/policy/engine_wrapper.go: fix corrupted source; use errors.New
- internal/db/policy_test.go: use model.AccountTypeHuman constant
- cmd/mciasctl/main.go: add nolint:gosec to int(os.Stdin.Fd()) calls
- gofmt/goimports: db/policy_test.go, policy/defaults.go,
policy/engine_test.go, ui/ui.go, cmd/mciasctl/main.go
- fieldalignment: model.PolicyRuleRecord, policy.Engine, policy.Rule,
policy.RuleBody, ui.PolicyRuleView
Security: PG password encrypted AES-256-GCM with fresh random nonce before
storage; plaintext never logged or returned in any response; audit event
written on every credential write.
This commit is contained in:
83
internal/policy/defaults.go
Normal file
83
internal/policy/defaults.go
Normal file
@@ -0,0 +1,83 @@
|
||||
package policy
|
||||
|
||||
// defaultRules are the compiled-in authorization rules. They cannot be
|
||||
// modified or deleted via the API. They reproduce the previous binary
|
||||
// admin/non-admin behavior exactly when no operator rules exist, so wiring
|
||||
// the policy engine alongside RequireRole("admin") produces identical results.
|
||||
//
|
||||
// All defaults use Priority 0 so they are evaluated before any operator rule
|
||||
// (which defaults to Priority 100). Within priority 0, deny-wins still applies,
|
||||
// but the defaults contain no Deny rules — they only grant the minimum required
|
||||
// for self-service and admin operations.
|
||||
//
|
||||
// Security rationale for each rule is documented inline.
|
||||
var defaultRules = []Rule{
|
||||
{
|
||||
// Admin wildcard: an account bearing the "admin" role is permitted to
|
||||
// perform any action on any resource. This mirrors the previous
|
||||
// RequireRole("admin") check and is the root of all administrative trust.
|
||||
ID: -1,
|
||||
Description: "Admin wildcard: admin role allows all actions",
|
||||
Priority: 0,
|
||||
Roles: []string{"admin"},
|
||||
Effect: Allow,
|
||||
},
|
||||
{
|
||||
// Self-service logout and token renewal: any authenticated principal may
|
||||
// revoke or renew their own token. No resource scoping is needed because
|
||||
// the handler independently verifies that the JTI belongs to the caller.
|
||||
ID: -2,
|
||||
Description: "Self-service: any principal may logout or renew their own token",
|
||||
Priority: 0,
|
||||
Actions: []Action{ActionLogout, ActionRenewToken},
|
||||
Effect: Allow,
|
||||
},
|
||||
{
|
||||
// Self-service TOTP enrollment: any authenticated human account may
|
||||
// initiate and confirm their own TOTP enrollment. The handler verifies
|
||||
// the subject matches before writing.
|
||||
ID: -3,
|
||||
Description: "Self-service: any principal may enroll their own TOTP",
|
||||
Priority: 0,
|
||||
Actions: []Action{ActionEnrollTOTP},
|
||||
Effect: Allow,
|
||||
},
|
||||
{
|
||||
// System accounts reading their own pgcreds: a service that has already
|
||||
// authenticated (e.g. via its bearer service token) may retrieve its own
|
||||
// Postgres credentials without admin privilege. OwnerMatchesSubject
|
||||
// ensures the service can only reach its own row — not another service's.
|
||||
ID: -4,
|
||||
Description: "System accounts may read their own pg_credentials",
|
||||
Priority: 0,
|
||||
AccountTypes: []string{"system"},
|
||||
Actions: []Action{ActionReadPGCreds},
|
||||
ResourceType: ResourcePGCreds,
|
||||
OwnerMatchesSubject: true,
|
||||
Effect: Allow,
|
||||
},
|
||||
{
|
||||
// System accounts issuing or renewing their own service token: a system
|
||||
// account may rotate its own bearer token. OwnerMatchesSubject ensures
|
||||
// it cannot issue tokens for other accounts.
|
||||
ID: -5,
|
||||
Description: "System accounts may issue or renew their own service token",
|
||||
Priority: 0,
|
||||
AccountTypes: []string{"system"},
|
||||
Actions: []Action{ActionIssueToken, ActionRenewToken},
|
||||
ResourceType: ResourceToken,
|
||||
OwnerMatchesSubject: true,
|
||||
Effect: Allow,
|
||||
},
|
||||
{
|
||||
// Public endpoints: token validation and login do not require
|
||||
// authentication. The middleware exempts them from RequireAuth entirely;
|
||||
// this rule exists so that if a policy check is accidentally applied to
|
||||
// these paths, it does not block them.
|
||||
ID: -6,
|
||||
Description: "Public: token validation and login are always permitted",
|
||||
Priority: 0,
|
||||
Actions: []Action{ActionValidateToken, ActionLogin},
|
||||
Effect: Allow,
|
||||
},
|
||||
}
|
||||
Reference in New Issue
Block a user