From 59d51a1d386e3bab983f840215a893b43c163536 Mon Sep 17 00:00:00 2001 From: Kyle Isom Date: Wed, 11 Mar 2026 14:38:47 -0700 Subject: [PATCH] =?UTF-8?q?Implement=20Phase=207:=20gRPC=20dual-stack=20in?= =?UTF-8?q?terface=20-=20proto/mcias/v1/:=20AdminService,=20AuthService,?= =?UTF-8?q?=20TokenService,=20=20=20AccountService,=20CredentialService;?= =?UTF-8?q?=20generated=20Go=20stubs=20in=20gen/=20-=20internal/grpcserver?= =?UTF-8?q?:=20full=20handler=20implementations=20sharing=20all=20=20=20bu?= =?UTF-8?q?siness=20logic=20(auth,=20token,=20db,=20crypto)=20with=20REST?= =?UTF-8?q?=20server;=20=20=20interceptor=20chain:=20logging=20->=20auth?= =?UTF-8?q?=20(JWT=20alg-first=20+=20revocation)=20->=20=20=20rate-limit?= =?UTF-8?q?=20(token=20bucket,=2010=20req/s,=20burst=2010,=20per-IP)=20-?= =?UTF-8?q?=20internal/config:=20optional=20grpc=5Faddr=20field=20in=20[se?= =?UTF-8?q?rver]=20section=20-=20cmd/mciassrv:=20dual-stack=20startup;=20g?= =?UTF-8?q?RPC/TLS=20listener=20on=20grpc=5Faddr=20=20=20when=20configured?= =?UTF-8?q?;=20graceful=20shutdown=20of=20both=20servers=20in=2015s=20wind?= =?UTF-8?q?ow=20-=20cmd/mciasgrpcctl:=20companion=20gRPC=20CLI=20mirroring?= =?UTF-8?q?=20mciasctl=20commands=20=20=20(health,=20pubkey,=20account,=20?= =?UTF-8?q?role,=20token,=20pgcreds)=20using=20TLS=20with=20=20=20optional?= =?UTF-8?q?=20custom=20CA=20cert=20-=20internal/grpcserver/grpcserver=5Fte?= =?UTF-8?q?st.go:=2020=20tests=20via=20bufconn=20covering=20=20=20public?= =?UTF-8?q?=20RPCs,=20auth=20interceptor=20(no=20token,=20invalid,=20revok?= =?UTF-8?q?ed=20->=20401),=20=20=20non-admin=20->=20403,=20Login/Logout/Re?= =?UTF-8?q?newToken/ValidateToken=20flows,=20=20=20AccountService=20CRUD,?= =?UTF-8?q?=20SetPGCreds/GetPGCreds=20AES-GCM=20round-trip,=20=20=20creden?= =?UTF-8?q?tial=20fields=20absent=20from=20all=20responses=20Security:=20?= =?UTF-8?q?=20=20JWT=20validation=20path=20identical=20to=20REST:=20alg=20?= =?UTF-8?q?header=20checked=20before=20=20=20signature,=20alg:none=20rejec?= =?UTF-8?q?ted,=20revocation=20table=20checked=20after=20sig.=20=20=20Auth?= =?UTF-8?q?orization=20metadata=20value=20never=20logged=20by=20any=20inte?= =?UTF-8?q?rceptor.=20=20=20Credential=20fields=20(PasswordHash,=20TOTPSec?= =?UTF-8?q?ret*,=20PGPassword)=20absent=20from=20=20=20all=20proto=20respo?= =?UTF-8?q?nse=20messages=20=E2=80=94=20enforced=20by=20proto=20design=20a?= =?UTF-8?q?nd=20confirmed=20=20=20by=20test=20TestCredentialFieldsAbsentFr?= =?UTF-8?q?omAccountResponse.=20=20=20Login=20dummy-Argon2=20timing=20guar?= =?UTF-8?q?d=20preserves=20timing=20uniformity=20for=20=20=20unknown=20use?= =?UTF-8?q?rs=20(same=20as=20REST=20handleLogin).=20=20=20TLS=20required?= =?UTF-8?q?=20at=20listener=20level;=20cmd/mciassrv=20uses=20=20=20credent?= =?UTF-8?q?ials.NewServerTLSFromFile;=20no=20h2c=20offered.=20137=20tests?= =?UTF-8?q?=20pass,=20zero=20race=20conditions=20(go=20test=20-race=20./..?= =?UTF-8?q?.)?= MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit --- .gitignore | 9 +- PROGRESS.md | 88 +- cmd/mciasctl/main.go | 473 +++++++++++ cmd/mciasdb/account.go | 251 ++++++ cmd/mciasdb/audit.go | 116 +++ cmd/mciasdb/main.go | 242 ++++++ cmd/mciasdb/mciasdb_test.go | 440 ++++++++++ cmd/mciasdb/pgcreds.go | 127 +++ cmd/mciasdb/role.go | 112 +++ cmd/mciasdb/schema.go | 63 ++ cmd/mciasdb/token.go | 130 +++ cmd/mciasgrpcctl/main.go | 602 ++++++++++++++ cmd/mciassrv/main.go | 331 ++++++++ gen/mcias/v1/account.pb.go | 983 +++++++++++++++++++++++ gen/mcias/v1/account_grpc.pb.go | 502 ++++++++++++ gen/mcias/v1/admin.pb.go | 296 +++++++ gen/mcias/v1/admin_grpc.pb.go | 172 ++++ gen/mcias/v1/auth.pb.go | 677 ++++++++++++++++ gen/mcias/v1/auth_grpc.pb.go | 341 ++++++++ gen/mcias/v1/common.pb.go | 409 ++++++++++ gen/mcias/v1/token.pb.go | 411 ++++++++++ gen/mcias/v1/token_grpc.pb.go | 215 +++++ go.mod | 5 + go.sum | 10 + internal/config/config.go | 8 +- internal/grpcserver/accountservice.go | 222 +++++ internal/grpcserver/admin.go | 41 + internal/grpcserver/auth.go | 264 ++++++ internal/grpcserver/credentialservice.go | 107 +++ internal/grpcserver/grpcserver.go | 345 ++++++++ internal/grpcserver/grpcserver_test.go | 654 +++++++++++++++ internal/grpcserver/tokenservice.go | 122 +++ proto/generate.go | 10 + proto/mcias/v1/account.proto | 119 +++ proto/mcias/v1/admin.proto | 38 + proto/mcias/v1/auth.proto | 99 +++ proto/mcias/v1/common.proto | 45 ++ proto/mcias/v1/token.proto | 63 ++ 38 files changed, 9132 insertions(+), 10 deletions(-) create mode 100644 cmd/mciasctl/main.go create mode 100644 cmd/mciasdb/account.go create mode 100644 cmd/mciasdb/audit.go create mode 100644 cmd/mciasdb/main.go create mode 100644 cmd/mciasdb/mciasdb_test.go create mode 100644 cmd/mciasdb/pgcreds.go create mode 100644 cmd/mciasdb/role.go create mode 100644 cmd/mciasdb/schema.go create mode 100644 cmd/mciasdb/token.go create mode 100644 cmd/mciasgrpcctl/main.go create mode 100644 cmd/mciassrv/main.go create mode 100644 gen/mcias/v1/account.pb.go create mode 100644 gen/mcias/v1/account_grpc.pb.go create mode 100644 gen/mcias/v1/admin.pb.go create mode 100644 gen/mcias/v1/admin_grpc.pb.go create mode 100644 gen/mcias/v1/auth.pb.go create mode 100644 gen/mcias/v1/auth_grpc.pb.go create mode 100644 gen/mcias/v1/common.pb.go create mode 100644 gen/mcias/v1/token.pb.go create mode 100644 gen/mcias/v1/token_grpc.pb.go create mode 100644 internal/grpcserver/accountservice.go create mode 100644 internal/grpcserver/admin.go create mode 100644 internal/grpcserver/auth.go create mode 100644 internal/grpcserver/credentialservice.go create mode 100644 internal/grpcserver/grpcserver.go create mode 100644 internal/grpcserver/grpcserver_test.go create mode 100644 internal/grpcserver/tokenservice.go create mode 100644 proto/generate.go create mode 100644 proto/mcias/v1/account.proto create mode 100644 proto/mcias/v1/admin.proto create mode 100644 proto/mcias/v1/auth.proto create mode 100644 proto/mcias/v1/common.proto create mode 100644 proto/mcias/v1/token.proto diff --git a/.gitignore b/.gitignore index c9a5a52..5b2f179 100644 --- a/.gitignore +++ b/.gitignore @@ -1,7 +1,8 @@ -# Build output -mciassrv -mciasctl -mciasdb +# Build output (root-level binaries only) +/mciassrv +/mciasctl +/mciasdb +/mciasgrpcctl *.exe # Database files diff --git a/PROGRESS.md b/PROGRESS.md index 00a4fb9..ac1b2de 100644 --- a/PROGRESS.md +++ b/PROGRESS.md @@ -4,10 +4,10 @@ Source of truth for current development state. --- -## Current Status: Phase 6 Complete — Phases 7–9 Planned +## Current Status: Phase 7 Complete — Phases 8–9 Planned -117 tests pass with zero race conditions. Phases 7–9 are designed and -documented; implementation not yet started. +137 tests pass with zero race conditions. Phase 7 (gRPC dual-stack) is +complete. Phases 8–9 are designed and documented; implementation not yet started. ### Completed Phases @@ -18,10 +18,10 @@ documented; implementation not yet started. - [x] Phase 4: Admin CLI (mciasctl binary) - [x] Phase 5: E2E tests, security hardening, commit - [x] Phase 6: mciasdb — direct SQLite maintenance tool +- [x] Phase 7: gRPC interface (alternate transport; dual-stack with REST) ### Planned Phases -- [ ] Phase 7: gRPC interface (alternate transport; dual-stack with REST) - [ ] Phase 8: Operational artifacts (systemd unit, man pages, Makefile, install script) - [ ] Phase 9: Client libraries (Go, Rust, Common Lisp, Python) @@ -29,6 +29,86 @@ documented; implementation not yet started. ## Implementation Log +### 2026-03-11 — Phase 7: gRPC dual-stack + +**proto/mcias/v1/** +- `common.proto` — shared types: Account, TokenInfo, PGCreds, Error +- `admin.proto` — AdminService: Health (public), GetPublicKey (public) +- `auth.proto` — AuthService: Login (public), Logout, RenewToken, + EnrollTOTP, ConfirmTOTP, RemoveTOTP (admin) +- `token.proto` — TokenService: ValidateToken (public), + IssueServiceToken (admin), RevokeToken (admin) +- `account.proto` — AccountService (CRUD + roles, all admin) + + CredentialService (GetPGCreds, SetPGCreds, all admin) +- `proto/generate.go` — go:generate directive for protoc regeneration +- Generated Go stubs in `gen/mcias/v1/` via protoc + protoc-gen-go-grpc + +**internal/grpcserver** +- `grpcserver.go` — Server struct, interceptor chain + (loggingInterceptor → authInterceptor → rateLimitInterceptor), + GRPCServer() / GRPCServerWithCreds(creds) / buildServer() helpers, + per-IP token-bucket rate limiter (same parameters as REST: 10 req/s, + burst 10), extractBearerFromMD, requireAdmin +- `admin.go` — Health, GetPublicKey implementations +- `auth.go` — Login (with dummy-Argon2 timing guard), Logout, RenewToken, + EnrollTOTP, ConfirmTOTP, RemoveTOTP +- `tokenservice.go` — ValidateToken (returns valid=false on error, never + an RPC error), IssueServiceToken, RevokeToken +- `accountservice.go` — ListAccounts, CreateAccount, GetAccount, + UpdateAccount, DeleteAccount, GetRoles, SetRoles +- `credentialservice.go` — GetPGCreds (AES-GCM decrypt), SetPGCreds + (AES-GCM encrypt) + +**Security invariants (same as REST server):** +- Authorization metadata value never logged by any interceptor +- Credential fields (PasswordHash, TOTPSecret*, PGPassword) absent from + all proto response messages by proto design + grpcserver enforcement +- JWT validation: alg-first, then signature, then revocation table lookup +- Public RPCs bypass auth: Health, GetPublicKey, ValidateToken, Login +- Admin-only RPCs checked in-handler via requireAdmin(ctx) +- Dummy Argon2 in Login for unknown users prevents timing enumeration + +**internal/config additions** +- `GRPCAddr string` field in ServerConfig (optional; omit to disable gRPC) + +**cmd/mciassrv updates** +- Dual-stack: starts both HTTPS (REST) and gRPC/TLS listeners when + grpc_addr is configured in [server] section +- gRPC listener uses same TLS cert/key as REST; credentials passed at + server-construction time via GRPCServerWithCreds +- Graceful shutdown drains both listeners within 15s window + +**cmd/mciasgrpcctl** +- New companion CLI for gRPC management +- Global flags: -server (host:port), -token (or MCIAS_TOKEN), -cacert +- Commands: health, pubkey, account (list/create/get/update/delete), + role (list/set), token (validate/issue/revoke), + pgcreds (get/set) +- Connects with TLS; custom CA cert support for self-signed certs + +**Tests** +- `internal/grpcserver/grpcserver_test.go`: 20 tests using bufconn + (in-process, no network sockets); covers: + - Health and GetPublicKey (public RPCs, no auth) + - Auth interceptor: no token, invalid token, revoked token all → 401 + - Non-admin calling admin RPC → 403 + - Login: success, wrong password, unknown user + - Logout and RenewToken + - ValidateToken: good token → valid=true; garbage → valid=false (no error) + - IssueServiceToken requires admin + - ListAccounts: non-admin → 403, admin → OK + - CreateAccount, GetAccount, UpdateAccount, SetRoles, GetRoles lifecycle + - SetPGCreds + GetPGCreds with AES-GCM round-trip verification + - PGCreds requires admin + - Credential fields absent from account responses (structural enforcement) + +**Dependencies added** +- `google.golang.org/grpc v1.68.0` +- `google.golang.org/protobuf v1.36.0` +- `google.golang.org/grpc/test/bufconn` (test only, included in grpc module) + +Total: 137 tests, all pass, zero race conditions (go test -race ./...) + ### 2026-03-11 — Phase 6: mciasdb **cmd/mciasdb** diff --git a/cmd/mciasctl/main.go b/cmd/mciasctl/main.go new file mode 100644 index 0000000..df80bd2 --- /dev/null +++ b/cmd/mciasctl/main.go @@ -0,0 +1,473 @@ +// Command mciasctl is the MCIAS admin CLI. +// +// It connects to a running mciassrv instance and provides subcommands for +// managing accounts, roles, tokens, and Postgres credentials. +// +// Usage: +// +// mciasctl [global flags] [args] +// +// Global flags: +// +// -server URL of the mciassrv instance (default: https://localhost:8443) +// -token Bearer token for authentication (or set MCIAS_TOKEN env var) +// -cacert Path to CA certificate for TLS verification (optional) +// +// Commands: +// +// account list +// account create -username NAME -password PASS [-type human|system] +// account get -id UUID +// account update -id UUID [-status active|inactive] +// account delete -id UUID +// +// role list -id UUID +// role set -id UUID -roles role1,role2,... +// +// token issue -id UUID +// token revoke -jti JTI +// +// pgcreds set -id UUID -host HOST -port PORT -db DB -user USER -password PASS +// pgcreds get -id UUID +package main + +import ( + "crypto/tls" + "crypto/x509" + "encoding/json" + "flag" + "fmt" + "net/http" + "os" + "strings" + "time" +) + +func main() { + // Global flags. + serverURL := flag.String("server", "https://localhost:8443", "mciassrv base URL") + tokenFlag := flag.String("token", "", "bearer token (or set MCIAS_TOKEN)") + caCert := flag.String("cacert", "", "path to CA certificate for TLS") + flag.Usage = usage + flag.Parse() + + // Resolve token from flag or environment. + bearerToken := *tokenFlag + if bearerToken == "" { + bearerToken = os.Getenv("MCIAS_TOKEN") + } + + args := flag.Args() + if len(args) == 0 { + usage() + os.Exit(1) + } + + // Build HTTP client. + client, err := newHTTPClient(*caCert) + if err != nil { + fatalf("build HTTP client: %v", err) + } + + ctl := &controller{ + serverURL: strings.TrimRight(*serverURL, "/"), + token: bearerToken, + client: client, + } + + command := args[0] + subArgs := args[1:] + + switch command { + case "account": + ctl.runAccount(subArgs) + case "role": + ctl.runRole(subArgs) + case "token": + ctl.runToken(subArgs) + case "pgcreds": + ctl.runPGCreds(subArgs) + default: + fatalf("unknown command %q; run with no args to see usage", command) + } +} + +// controller holds shared state for all subcommands. +type controller struct { + client *http.Client + serverURL string + token string +} + +// ---- account subcommands ---- + +func (c *controller) runAccount(args []string) { + if len(args) == 0 { + fatalf("account requires a subcommand: list, create, get, update, delete") + } + switch args[0] { + case "list": + c.accountList() + case "create": + c.accountCreate(args[1:]) + case "get": + c.accountGet(args[1:]) + case "update": + c.accountUpdate(args[1:]) + case "delete": + c.accountDelete(args[1:]) + default: + fatalf("unknown account subcommand %q", args[0]) + } +} + +func (c *controller) accountList() { + var result []json.RawMessage + c.doRequest("GET", "/v1/accounts", nil, &result) + printJSON(result) +} + +func (c *controller) accountCreate(args []string) { + fs := flag.NewFlagSet("account create", flag.ExitOnError) + username := fs.String("username", "", "username (required)") + password := fs.String("password", "", "password (required for human accounts)") + accountType := fs.String("type", "human", "account type: human or system") + _ = fs.Parse(args) + + if *username == "" { + fatalf("account create: -username is required") + } + + body := map[string]string{ + "username": *username, + "account_type": *accountType, + } + if *password != "" { + body["password"] = *password + } + + var result json.RawMessage + c.doRequest("POST", "/v1/accounts", body, &result) + printJSON(result) +} + +func (c *controller) accountGet(args []string) { + fs := flag.NewFlagSet("account get", flag.ExitOnError) + id := fs.String("id", "", "account UUID (required)") + _ = fs.Parse(args) + + if *id == "" { + fatalf("account get: -id is required") + } + + var result json.RawMessage + c.doRequest("GET", "/v1/accounts/"+*id, nil, &result) + printJSON(result) +} + +func (c *controller) accountUpdate(args []string) { + fs := flag.NewFlagSet("account update", flag.ExitOnError) + id := fs.String("id", "", "account UUID (required)") + status := fs.String("status", "", "new status: active or inactive") + _ = fs.Parse(args) + + if *id == "" { + fatalf("account update: -id is required") + } + if *status == "" { + fatalf("account update: -status is required") + } + + body := map[string]string{"status": *status} + c.doRequest("PATCH", "/v1/accounts/"+*id, body, nil) + fmt.Println("account updated") +} + +func (c *controller) accountDelete(args []string) { + fs := flag.NewFlagSet("account delete", flag.ExitOnError) + id := fs.String("id", "", "account UUID (required)") + _ = fs.Parse(args) + + if *id == "" { + fatalf("account delete: -id is required") + } + + c.doRequest("DELETE", "/v1/accounts/"+*id, nil, nil) + fmt.Println("account deleted") +} + +// ---- role subcommands ---- + +func (c *controller) runRole(args []string) { + if len(args) == 0 { + fatalf("role requires a subcommand: list, set") + } + switch args[0] { + case "list": + c.roleList(args[1:]) + case "set": + c.roleSet(args[1:]) + default: + fatalf("unknown role subcommand %q", args[0]) + } +} + +func (c *controller) roleList(args []string) { + fs := flag.NewFlagSet("role list", flag.ExitOnError) + id := fs.String("id", "", "account UUID (required)") + _ = fs.Parse(args) + + if *id == "" { + fatalf("role list: -id is required") + } + + var result json.RawMessage + c.doRequest("GET", "/v1/accounts/"+*id+"/roles", nil, &result) + printJSON(result) +} + +func (c *controller) roleSet(args []string) { + fs := flag.NewFlagSet("role set", flag.ExitOnError) + id := fs.String("id", "", "account UUID (required)") + rolesFlag := fs.String("roles", "", "comma-separated list of roles") + _ = fs.Parse(args) + + if *id == "" { + fatalf("role set: -id is required") + } + + roles := []string{} + if *rolesFlag != "" { + for _, r := range strings.Split(*rolesFlag, ",") { + r = strings.TrimSpace(r) + if r != "" { + roles = append(roles, r) + } + } + } + + body := map[string][]string{"roles": roles} + c.doRequest("PUT", "/v1/accounts/"+*id+"/roles", body, nil) + fmt.Printf("roles set: %v\n", roles) +} + +// ---- token subcommands ---- + +func (c *controller) runToken(args []string) { + if len(args) == 0 { + fatalf("token requires a subcommand: issue, revoke") + } + switch args[0] { + case "issue": + c.tokenIssue(args[1:]) + case "revoke": + c.tokenRevoke(args[1:]) + default: + fatalf("unknown token subcommand %q", args[0]) + } +} + +func (c *controller) tokenIssue(args []string) { + fs := flag.NewFlagSet("token issue", flag.ExitOnError) + id := fs.String("id", "", "system account UUID (required)") + _ = fs.Parse(args) + + if *id == "" { + fatalf("token issue: -id is required") + } + + body := map[string]string{"account_id": *id} + var result json.RawMessage + c.doRequest("POST", "/v1/token/issue", body, &result) + printJSON(result) +} + +func (c *controller) tokenRevoke(args []string) { + fs := flag.NewFlagSet("token revoke", flag.ExitOnError) + jti := fs.String("jti", "", "JTI of the token to revoke (required)") + _ = fs.Parse(args) + + if *jti == "" { + fatalf("token revoke: -jti is required") + } + + c.doRequest("DELETE", "/v1/token/"+*jti, nil, nil) + fmt.Println("token revoked") +} + +// ---- pgcreds subcommands ---- + +func (c *controller) runPGCreds(args []string) { + if len(args) == 0 { + fatalf("pgcreds requires a subcommand: get, set") + } + switch args[0] { + case "get": + c.pgCredsGet(args[1:]) + case "set": + c.pgCredsSet(args[1:]) + default: + fatalf("unknown pgcreds subcommand %q", args[0]) + } +} + +func (c *controller) pgCredsGet(args []string) { + fs := flag.NewFlagSet("pgcreds get", flag.ExitOnError) + id := fs.String("id", "", "account UUID (required)") + _ = fs.Parse(args) + + if *id == "" { + fatalf("pgcreds get: -id is required") + } + + var result json.RawMessage + c.doRequest("GET", "/v1/accounts/"+*id+"/pgcreds", nil, &result) + printJSON(result) +} + +func (c *controller) pgCredsSet(args []string) { + fs := flag.NewFlagSet("pgcreds set", flag.ExitOnError) + id := fs.String("id", "", "account UUID (required)") + host := fs.String("host", "", "Postgres host (required)") + port := fs.Int("port", 5432, "Postgres port") + dbName := fs.String("db", "", "Postgres database name (required)") + username := fs.String("user", "", "Postgres username (required)") + password := fs.String("password", "", "Postgres password (required)") + _ = fs.Parse(args) + + if *id == "" || *host == "" || *dbName == "" || *username == "" || *password == "" { + fatalf("pgcreds set: -id, -host, -db, -user, and -password are required") + } + + body := map[string]interface{}{ + "host": *host, + "port": *port, + "database": *dbName, + "username": *username, + "password": *password, + } + c.doRequest("PUT", "/v1/accounts/"+*id+"/pgcreds", body, nil) + fmt.Println("credentials stored") +} + +// ---- HTTP helpers ---- + +// doRequest performs an authenticated JSON HTTP request. If result is non-nil, +// the response body is decoded into it. Exits on error. +func (c *controller) doRequest(method, path string, body, result interface{}) { + url := c.serverURL + path + + var bodyReader *strings.Reader + if body != nil { + b, err := json.Marshal(body) + if err != nil { + fatalf("marshal request body: %v", err) + } + bodyReader = strings.NewReader(string(b)) + } else { + bodyReader = strings.NewReader("") + } + + req, err := http.NewRequest(method, url, bodyReader) + if err != nil { + fatalf("create request: %v", err) + } + req.Header.Set("Content-Type", "application/json") + if c.token != "" { + req.Header.Set("Authorization", "Bearer "+c.token) + } + + resp, err := c.client.Do(req) + if err != nil { + fatalf("HTTP %s %s: %v", method, path, err) + } + defer func() { _ = resp.Body.Close() }() + + if resp.StatusCode >= 400 { + var errBody map[string]string + _ = json.NewDecoder(resp.Body).Decode(&errBody) + msg := errBody["error"] + if msg == "" { + msg = resp.Status + } + fatalf("server returned %d: %s", resp.StatusCode, msg) + } + + if result != nil && resp.StatusCode != http.StatusNoContent { + if err := json.NewDecoder(resp.Body).Decode(result); err != nil { + fatalf("decode response: %v", err) + } + } +} + +// newHTTPClient builds an http.Client with optional custom CA certificate. +// Security: TLS 1.2+ is required; the system CA pool is used by default. +func newHTTPClient(caCertPath string) (*http.Client, error) { + tlsCfg := &tls.Config{ + MinVersion: tls.VersionTLS12, + } + + if caCertPath != "" { + // G304: path comes from a CLI flag supplied by the operator, not from + // untrusted input. File inclusion is intentional. + pemData, err := os.ReadFile(caCertPath) //nolint:gosec + if err != nil { + return nil, fmt.Errorf("read CA cert: %w", err) + } + pool := x509.NewCertPool() + if !pool.AppendCertsFromPEM(pemData) { + return nil, fmt.Errorf("no valid certificates found in %s", caCertPath) + } + tlsCfg.RootCAs = pool + } + + return &http.Client{ + Transport: &http.Transport{ + TLSClientConfig: tlsCfg, + }, + Timeout: 30 * time.Second, + }, nil +} + +// printJSON pretty-prints a JSON value to stdout. +func printJSON(v interface{}) { + enc := json.NewEncoder(os.Stdout) + enc.SetIndent("", " ") + if err := enc.Encode(v); err != nil { + fatalf("encode output: %v", err) + } +} + +// fatalf prints an error message and exits with code 1. +func fatalf(format string, args ...interface{}) { + fmt.Fprintf(os.Stderr, "mciasctl: "+format+"\n", args...) + os.Exit(1) +} + +func usage() { + fmt.Fprintf(os.Stderr, `mciasctl - MCIAS admin CLI + +Usage: mciasctl [global flags] [args] + +Global flags: + -server URL of the mciassrv instance (default: https://localhost:8443) + -token Bearer token (or set MCIAS_TOKEN env var) + -cacert Path to CA certificate for TLS verification + +Commands: + account list + account create -username NAME -password PASS [-type human|system] + account get -id UUID + account update -id UUID -status active|inactive + account delete -id UUID + + role list -id UUID + role set -id UUID -roles role1,role2,... + + token issue -id UUID + token revoke -jti JTI + + pgcreds get -id UUID + pgcreds set -id UUID -host HOST [-port PORT] -db DB -user USER -password PASS +`) +} diff --git a/cmd/mciasdb/account.go b/cmd/mciasdb/account.go new file mode 100644 index 0000000..da661ca --- /dev/null +++ b/cmd/mciasdb/account.go @@ -0,0 +1,251 @@ +package main + +import ( + "flag" + "fmt" + "os" + "strings" + + "git.wntrmute.dev/kyle/mcias/internal/auth" + "git.wntrmute.dev/kyle/mcias/internal/model" + "golang.org/x/term" +) + +func (t *tool) runAccount(args []string) { + if len(args) == 0 { + fatalf("account requires a subcommand: list, get, create, set-password, set-status, reset-totp") + } + switch args[0] { + case "list": + t.accountList() + case "get": + t.accountGet(args[1:]) + case "create": + t.accountCreate(args[1:]) + case "set-password": + t.accountSetPassword(args[1:]) + case "set-status": + t.accountSetStatus(args[1:]) + case "reset-totp": + t.accountResetTOTP(args[1:]) + default: + fatalf("unknown account subcommand %q", args[0]) + } +} + +func (t *tool) accountList() { + accounts, err := t.db.ListAccounts() + if err != nil { + fatalf("list accounts: %v", err) + } + if len(accounts) == 0 { + fmt.Println("no accounts found") + return + } + fmt.Printf("%-36s %-20s %-8s %-10s\n", "UUID", "USERNAME", "TYPE", "STATUS") + fmt.Println(strings.Repeat("-", 80)) + for _, a := range accounts { + fmt.Printf("%-36s %-20s %-8s %-10s\n", + a.UUID, a.Username, string(a.AccountType), string(a.Status)) + } +} + +func (t *tool) accountGet(args []string) { + fs := flag.NewFlagSet("account get", flag.ExitOnError) + id := fs.String("id", "", "account UUID (required)") + _ = fs.Parse(args) + + if *id == "" { + fatalf("account get: --id is required") + } + + a, err := t.db.GetAccountByUUID(*id) + if err != nil { + fatalf("get account: %v", err) + } + + fmt.Printf("UUID: %s\n", a.UUID) + fmt.Printf("Username: %s\n", a.Username) + fmt.Printf("Type: %s\n", a.AccountType) + fmt.Printf("Status: %s\n", a.Status) + fmt.Printf("TOTP required: %v\n", a.TOTPRequired) + fmt.Printf("Created: %s\n", a.CreatedAt.Format("2006-01-02T15:04:05Z")) + fmt.Printf("Updated: %s\n", a.UpdatedAt.Format("2006-01-02T15:04:05Z")) + if a.DeletedAt != nil { + fmt.Printf("Deleted: %s\n", a.DeletedAt.Format("2006-01-02T15:04:05Z")) + } +} + +func (t *tool) accountCreate(args []string) { + fs := flag.NewFlagSet("account create", flag.ExitOnError) + username := fs.String("username", "", "username (required)") + accountType := fs.String("type", "human", "account type: human or system") + _ = fs.Parse(args) + + if *username == "" { + fatalf("account create: --username is required") + } + if *accountType != "human" && *accountType != "system" { + fatalf("account create: --type must be human or system") + } + + atype := model.AccountType(*accountType) + a, err := t.db.CreateAccount(*username, atype, "") + if err != nil { + fatalf("create account: %v", err) + } + + if err := t.db.WriteAuditEvent("account_created", nil, &a.ID, "", fmt.Sprintf(`{"actor":"mciasdb","username":%q}`, *username)); err != nil { + fmt.Fprintf(os.Stderr, "warning: write audit event: %v\n", err) + } + + fmt.Printf("created account %s (UUID: %s)\n", *username, a.UUID) +} + +// accountSetPassword prompts twice for a new password, hashes it with +// Argon2id, and updates the account's password_hash column. +// +// Security: No --password flag is provided; passwords must be entered +// interactively so they never appear in shell history or process listings. +// The password is hashed with Argon2id using OWASP-compliant parameters before +// any database write. +func (t *tool) accountSetPassword(args []string) { + fs := flag.NewFlagSet("account set-password", flag.ExitOnError) + id := fs.String("id", "", "account UUID (required)") + _ = fs.Parse(args) + + if *id == "" { + fatalf("account set-password: --id is required") + } + + a, err := t.db.GetAccountByUUID(*id) + if err != nil { + fatalf("get account: %v", err) + } + + fmt.Printf("Setting password for account %s (%s)\n", a.Username, a.UUID) + + password, err := readPassword("New password: ") + if err != nil { + fatalf("read password: %v", err) + } + confirm, err := readPassword("Confirm password: ") + if err != nil { + fatalf("read confirm: %v", err) + } + if password != confirm { + fatalf("passwords do not match") + } + if password == "" { + fatalf("password must not be empty") + } + + hash, err := auth.HashPassword(password, auth.DefaultArgonParams()) + if err != nil { + fatalf("hash password: %v", err) + } + + if err := t.db.UpdatePasswordHash(a.ID, hash); err != nil { + fatalf("update password hash: %v", err) + } + + if err := t.db.WriteAuditEvent("account_updated", nil, &a.ID, "", `{"actor":"mciasdb","action":"set_password"}`); err != nil { + fmt.Fprintf(os.Stderr, "warning: write audit event: %v\n", err) + } + + fmt.Printf("password updated for account %s\n", a.Username) +} + +func (t *tool) accountSetStatus(args []string) { + fs := flag.NewFlagSet("account set-status", flag.ExitOnError) + id := fs.String("id", "", "account UUID (required)") + status := fs.String("status", "", "new status: active, inactive, or deleted (required)") + _ = fs.Parse(args) + + if *id == "" { + fatalf("account set-status: --id is required") + } + if *status == "" { + fatalf("account set-status: --status is required") + } + + var newStatus model.AccountStatus + switch *status { + case "active": + newStatus = model.AccountStatusActive + case "inactive": + newStatus = model.AccountStatusInactive + case "deleted": + newStatus = model.AccountStatusDeleted + default: + fatalf("account set-status: --status must be active, inactive, or deleted") + } + + a, err := t.db.GetAccountByUUID(*id) + if err != nil { + fatalf("get account: %v", err) + } + + if err := t.db.UpdateAccountStatus(a.ID, newStatus); err != nil { + fatalf("update account status: %v", err) + } + + eventType := "account_updated" + if newStatus == model.AccountStatusDeleted { + eventType = "account_deleted" + } + if err := t.db.WriteAuditEvent(eventType, nil, &a.ID, "", fmt.Sprintf(`{"actor":"mciasdb","status":%q}`, *status)); err != nil { + fmt.Fprintf(os.Stderr, "warning: write audit event: %v\n", err) + } + + fmt.Printf("account %s status set to %s\n", a.Username, *status) +} + +// accountResetTOTP clears TOTP fields for the account, disabling the +// TOTP requirement. This is a break-glass operation for locked-out users. +func (t *tool) accountResetTOTP(args []string) { + fs := flag.NewFlagSet("account reset-totp", flag.ExitOnError) + id := fs.String("id", "", "account UUID (required)") + _ = fs.Parse(args) + + if *id == "" { + fatalf("account reset-totp: --id is required") + } + + a, err := t.db.GetAccountByUUID(*id) + if err != nil { + fatalf("get account: %v", err) + } + + if err := t.db.ClearTOTP(a.ID); err != nil { + fatalf("clear TOTP: %v", err) + } + + if err := t.db.WriteAuditEvent("totp_removed", nil, &a.ID, "", `{"actor":"mciasdb","action":"reset_totp"}`); err != nil { + fmt.Fprintf(os.Stderr, "warning: write audit event: %v\n", err) + } + + fmt.Printf("TOTP cleared for account %s\n", a.Username) +} + +// readPassword reads a password from the terminal without echo. +// Falls back to a regular line read if stdin is not a terminal (e.g. in tests). +func readPassword(prompt string) (string, error) { + fmt.Fprint(os.Stderr, prompt) + fd := int(os.Stdin.Fd()) //nolint:gosec // G115: file descriptors are non-negative and fit in int on all supported platforms + if term.IsTerminal(fd) { + pw, err := term.ReadPassword(fd) + fmt.Fprintln(os.Stderr) // newline after hidden input + if err != nil { + return "", fmt.Errorf("read password from terminal: %w", err) + } + return string(pw), nil + } + // Not a terminal: read a plain line (for piped input in tests). + var line string + _, err := fmt.Fscanln(os.Stdin, &line) + if err != nil { + return "", fmt.Errorf("read password: %w", err) + } + return line, nil +} diff --git a/cmd/mciasdb/audit.go b/cmd/mciasdb/audit.go new file mode 100644 index 0000000..371549c --- /dev/null +++ b/cmd/mciasdb/audit.go @@ -0,0 +1,116 @@ +package main + +import ( + "encoding/json" + "flag" + "fmt" + "os" + "time" + + "git.wntrmute.dev/kyle/mcias/internal/db" + "git.wntrmute.dev/kyle/mcias/internal/model" +) + +func (t *tool) runAudit(args []string) { + if len(args) == 0 { + fatalf("audit requires a subcommand: tail, query") + } + switch args[0] { + case "tail": + t.auditTail(args[1:]) + case "query": + t.auditQuery(args[1:]) + default: + fatalf("unknown audit subcommand %q", args[0]) + } +} + +func (t *tool) auditTail(args []string) { + fs := flag.NewFlagSet("audit tail", flag.ExitOnError) + n := fs.Int("n", 50, "number of events to show") + asJSON := fs.Bool("json", false, "output as newline-delimited JSON") + _ = fs.Parse(args) + + if *n <= 0 { + fatalf("audit tail: --n must be positive") + } + + events, err := t.db.TailAuditEvents(*n) + if err != nil { + fatalf("tail audit events: %v", err) + } + + printAuditEvents(events, *asJSON) +} + +func (t *tool) auditQuery(args []string) { + fs := flag.NewFlagSet("audit query", flag.ExitOnError) + accountUUID := fs.String("account", "", "filter by account UUID (actor or target)") + eventType := fs.String("type", "", "filter by event type") + sinceStr := fs.String("since", "", "filter events on or after this RFC-3339 timestamp") + asJSON := fs.Bool("json", false, "output as newline-delimited JSON") + _ = fs.Parse(args) + + p := db.AuditQueryParams{ + EventType: *eventType, + } + + if *accountUUID != "" { + a, err := t.db.GetAccountByUUID(*accountUUID) + if err != nil { + fatalf("get account: %v", err) + } + p.AccountID = &a.ID + } + + if *sinceStr != "" { + since, err := time.Parse(time.RFC3339, *sinceStr) + if err != nil { + fatalf("audit query: --since must be an RFC-3339 timestamp (e.g. 2006-01-02T15:04:05Z): %v", err) + } + p.Since = &since + } + + events, err := t.db.ListAuditEvents(p) + if err != nil { + fatalf("query audit events: %v", err) + } + + printAuditEvents(events, *asJSON) +} + +func printAuditEvents(events []*model.AuditEvent, asJSON bool) { + if len(events) == 0 { + fmt.Println("no audit events found") + return + } + + if asJSON { + enc := json.NewEncoder(os.Stdout) + for _, ev := range events { + if err := enc.Encode(ev); err != nil { + fatalf("encode audit event: %v", err) + } + } + return + } + + fmt.Printf("%-20s %-22s %-15s %s\n", "TIME", "EVENT TYPE", "IP", "DETAILS") + fmt.Println("────────────────────────────────────────────────────────────────────────────────") + for _, ev := range events { + ip := ev.IPAddress + if ip == "" { + ip = "-" + } + details := ev.Details + if details == "" { + details = "-" + } + fmt.Printf("%-20s %-22s %-15s %s\n", + ev.EventTime.Format("2006-01-02T15:04:05Z"), + ev.EventType, + ip, + details, + ) + } +} diff --git a/cmd/mciasdb/main.go b/cmd/mciasdb/main.go new file mode 100644 index 0000000..49050d7 --- /dev/null +++ b/cmd/mciasdb/main.go @@ -0,0 +1,242 @@ +// Command mciasdb is the MCIAS database maintenance tool. +// +// It operates directly on the SQLite file, bypassing the mciassrv API. +// Use it for break-glass recovery, offline inspection, schema verification, +// and maintenance tasks when the server is unavailable. +// +// mciasdb requires the same master key configuration as mciassrv (passphrase +// environment variable or keyfile) to decrypt secrets at rest. +// +// Usage: +// +// mciasdb --config /etc/mcias/mcias.toml [subcommand] [flags] +// +// Commands: +// +// schema verify +// schema migrate +// +// account list +// account get --id UUID +// account create --username NAME --type human|system +// account set-password --id UUID +// account set-status --id UUID --status active|inactive|deleted +// account reset-totp --id UUID +// +// role list --id UUID +// role grant --id UUID --role ROLE +// role revoke --id UUID --role ROLE +// +// token list --id UUID +// token revoke --jti JTI +// token revoke-all --id UUID +// +// prune tokens +// +// audit tail [--n N] +// audit query [--account UUID] [--type TYPE] [--since RFC3339] [--json] +// +// pgcreds get --id UUID +// pgcreds set --id UUID --host H --port P --db D --user U +package main + +import ( + "errors" + "flag" + "fmt" + "os" + + "git.wntrmute.dev/kyle/mcias/internal/config" + "git.wntrmute.dev/kyle/mcias/internal/crypto" + "git.wntrmute.dev/kyle/mcias/internal/db" +) + +func main() { + configPath := flag.String("config", "mcias.toml", "path to TOML configuration file") + flag.Usage = usage + flag.Parse() + + args := flag.Args() + if len(args) == 0 { + usage() + os.Exit(1) + } + + database, masterKey, err := openDB(*configPath) + if err != nil { + fatalf("%v", err) + } + defer func() { + _ = database.Close() + // Zero the master key when done to reduce the window of in-memory exposure. + for i := range masterKey { + masterKey[i] = 0 + } + }() + + tool := &tool{db: database, masterKey: masterKey} + + command := args[0] + subArgs := args[1:] + + switch command { + case "schema": + tool.runSchema(subArgs) + case "account": + tool.runAccount(subArgs) + case "role": + tool.runRole(subArgs) + case "token": + tool.runToken(subArgs) + case "prune": + tool.runPrune(subArgs) + case "audit": + tool.runAudit(subArgs) + case "pgcreds": + tool.runPGCreds(subArgs) + default: + fatalf("unknown command %q; run with no args for usage", command) + } +} + +// tool holds shared state for all subcommand handlers. +type tool struct { + db *db.DB + masterKey []byte +} + +// openDB loads the config, derives the master key, opens and migrates the DB. +// +// Security: Master key derivation uses the same logic as mciassrv so that +// the same passphrase always yields the same key and encrypted secrets remain +// readable. The passphrase env var is unset immediately after reading. +func openDB(configPath string) (*db.DB, []byte, error) { + cfg, err := config.Load(configPath) + if err != nil { + return nil, nil, fmt.Errorf("load config: %w", err) + } + + database, err := db.Open(cfg.Database.Path) + if err != nil { + return nil, nil, fmt.Errorf("open database %q: %w", cfg.Database.Path, err) + } + + if err := db.Migrate(database); err != nil { + _ = database.Close() + return nil, nil, fmt.Errorf("migrate database: %w", err) + } + + masterKey, err := deriveMasterKey(cfg, database) + if err != nil { + _ = database.Close() + return nil, nil, fmt.Errorf("derive master key: %w", err) + } + + return database, masterKey, nil +} + +// deriveMasterKey derives or loads the AES-256-GCM master key from config, +// using identical logic to mciassrv so that encrypted DB secrets are readable. +// +// Security: Key file must be exactly 32 bytes (AES-256). Passphrase is read +// from the environment variable named in cfg.MasterKey.PassphraseEnv and +// cleared from the environment immediately after. The Argon2id KDF salt is +// loaded from the database; if absent the DB has no encrypted secrets yet. +func deriveMasterKey(cfg *config.Config, database *db.DB) ([]byte, error) { + if cfg.MasterKey.KeyFile != "" { + data, err := os.ReadFile(cfg.MasterKey.KeyFile) + if err != nil { + return nil, fmt.Errorf("read key file: %w", err) + } + if len(data) != 32 { + return nil, fmt.Errorf("key file must be exactly 32 bytes, got %d", len(data)) + } + key := make([]byte, 32) + copy(key, data) + for i := range data { + data[i] = 0 + } + return key, nil + } + + passphrase := os.Getenv(cfg.MasterKey.PassphraseEnv) + if passphrase == "" { + return nil, fmt.Errorf("environment variable %q is not set or empty", cfg.MasterKey.PassphraseEnv) + } + _ = os.Unsetenv(cfg.MasterKey.PassphraseEnv) + + salt, err := database.ReadMasterKeySalt() + if errors.Is(err, db.ErrNotFound) { + // No salt means the database has no encrypted secrets yet. + // Generate a new salt so future writes are consistent. + salt, err = crypto.NewSalt() + if err != nil { + return nil, fmt.Errorf("generate master key salt: %w", err) + } + if err := database.WriteMasterKeySalt(salt); err != nil { + return nil, fmt.Errorf("store master key salt: %w", err) + } + } else if err != nil { + return nil, fmt.Errorf("read master key salt: %w", err) + } + + key, err := crypto.DeriveKey(passphrase, salt) + if err != nil { + return nil, fmt.Errorf("derive master key: %w", err) + } + return key, nil +} + +// fatalf prints an error message to stderr and exits with code 1. +func fatalf(format string, args ...interface{}) { + fmt.Fprintf(os.Stderr, "mciasdb: "+format+"\n", args...) + os.Exit(1) +} + +// exitCode1 exits with code 1 without printing any message. +// Used when the message has already been printed. +func exitCode1() { + os.Exit(1) +} + +func usage() { + fmt.Fprint(os.Stderr, `mciasdb - MCIAS database maintenance tool + +Usage: mciasdb --config PATH [subcommand] [flags] + +Global flags: + --config Path to TOML config file (default: mcias.toml) + +Commands: + schema verify Check schema version; exit 1 if migrations pending + schema migrate Apply any pending schema migrations + + account list List all accounts + account get --id UUID + account create --username NAME --type human|system + account set-password --id UUID (prompts interactively) + account set-status --id UUID --status active|inactive|deleted + account reset-totp --id UUID + + role list --id UUID + role grant --id UUID --role ROLE + role revoke --id UUID --role ROLE + + token list --id UUID + token revoke --jti JTI + token revoke-all --id UUID + + prune tokens Delete expired token_revocation rows + + audit tail [--n N] (default 50) + audit query [--account UUID] [--type TYPE] [--since RFC3339] [--json] + + pgcreds get --id UUID + pgcreds set --id UUID --host H [--port P] --db D --user U + (password is prompted interactively) + +NOTE: mciasdb bypasses the mciassrv API and operates directly on the SQLite +file. Use it only when the server is unavailable or for break-glass recovery. +All write operations are recorded in the audit log. +`) +} diff --git a/cmd/mciasdb/mciasdb_test.go b/cmd/mciasdb/mciasdb_test.go new file mode 100644 index 0000000..da1af51 --- /dev/null +++ b/cmd/mciasdb/mciasdb_test.go @@ -0,0 +1,440 @@ +package main + +import ( + "bytes" + "fmt" + "io" + "os" + "strings" + "testing" + "time" + + "git.wntrmute.dev/kyle/mcias/internal/crypto" + "git.wntrmute.dev/kyle/mcias/internal/db" + "git.wntrmute.dev/kyle/mcias/internal/model" +) + +// newTestTool creates a tool backed by an in-memory SQLite database with a +// freshly generated master key. The database is migrated to the latest schema. +func newTestTool(t *testing.T) *tool { + t.Helper() + database, err := db.Open(":memory:") + if err != nil { + t.Fatalf("open test DB: %v", err) + } + if err := db.Migrate(database); err != nil { + t.Fatalf("migrate test DB: %v", err) + } + t.Cleanup(func() { _ = database.Close() }) + + // Use a random 32-byte master key for encryption tests. + masterKey, err := crypto.RandomBytes(32) + if err != nil { + t.Fatalf("generate master key: %v", err) + } + + return &tool{db: database, masterKey: masterKey} +} + +// captureStdout captures stdout output during fn execution. +func captureStdout(t *testing.T, fn func()) string { + t.Helper() + orig := os.Stdout + r, w, err := os.Pipe() + if err != nil { + t.Fatalf("create pipe: %v", err) + } + os.Stdout = w + + fn() + + _ = w.Close() + os.Stdout = orig + + var buf bytes.Buffer + if _, err := io.Copy(&buf, r); err != nil { + t.Fatalf("copy stdout: %v", err) + } + return buf.String() +} + +// ---- schema tests ---- + +func TestSchemaVerifyUpToDate(t *testing.T) { + tool := newTestTool(t) + // Capture output; schemaVerify calls exitCode1 if migrations pending, + // but with a freshly migrated DB it should print "up-to-date". + out := captureStdout(t, tool.schemaVerify) + if !strings.Contains(out, "up-to-date") { + t.Errorf("expected 'up-to-date' in output, got: %s", out) + } +} + +// ---- account tests ---- + +func TestAccountListEmpty(t *testing.T) { + tool := newTestTool(t) + out := captureStdout(t, tool.accountList) + if !strings.Contains(out, "no accounts") { + t.Errorf("expected 'no accounts' in output, got: %s", out) + } +} + +func TestAccountCreateAndList(t *testing.T) { + tool := newTestTool(t) + + // Create via DB method directly (accountCreate reads args via flags so + // we test the DB path to avoid os.Exit on parse error). + a, err := tool.db.CreateAccount("testuser", model.AccountTypeHuman, "") + if err != nil { + t.Fatalf("create account: %v", err) + } + if a.UUID == "" { + t.Error("expected UUID to be set") + } + + out := captureStdout(t, tool.accountList) + if !strings.Contains(out, "testuser") { + t.Errorf("expected 'testuser' in list output, got: %s", out) + } +} + +func TestAccountGetByUUID(t *testing.T) { + tool := newTestTool(t) + + a, err := tool.db.CreateAccount("getuser", model.AccountTypeSystem, "") + if err != nil { + t.Fatalf("create account: %v", err) + } + + out := captureStdout(t, func() { + tool.accountGet([]string{"--id", a.UUID}) + }) + if !strings.Contains(out, "getuser") { + t.Errorf("expected 'getuser' in get output, got: %s", out) + } + if !strings.Contains(out, "system") { + t.Errorf("expected 'system' in get output, got: %s", out) + } +} + +func TestAccountSetStatus(t *testing.T) { + tool := newTestTool(t) + + a, err := tool.db.CreateAccount("statususer", model.AccountTypeHuman, "hash") + if err != nil { + t.Fatalf("create account: %v", err) + } + + captureStdout(t, func() { + tool.accountSetStatus([]string{"--id", a.UUID, "--status", "inactive"}) + }) + + updated, err := tool.db.GetAccountByUUID(a.UUID) + if err != nil { + t.Fatalf("get account after update: %v", err) + } + if updated.Status != model.AccountStatusInactive { + t.Errorf("expected inactive status, got %s", updated.Status) + } +} + +func TestAccountResetTOTP(t *testing.T) { + tool := newTestTool(t) + + a, err := tool.db.CreateAccount("totpuser", model.AccountTypeHuman, "hash") + if err != nil { + t.Fatalf("create account: %v", err) + } + + // Set TOTP fields. + if err := tool.db.SetTOTP(a.ID, []byte("enc"), []byte("nonce")); err != nil { + t.Fatalf("set TOTP: %v", err) + } + + captureStdout(t, func() { + tool.accountResetTOTP([]string{"--id", a.UUID}) + }) + + updated, err := tool.db.GetAccountByUUID(a.UUID) + if err != nil { + t.Fatalf("get account after reset: %v", err) + } + if updated.TOTPRequired { + t.Error("expected TOTP to be cleared") + } + if len(updated.TOTPSecretEnc) != 0 { + t.Error("expected TOTP secret to be cleared") + } +} + +// ---- role tests ---- + +func TestRoleGrantAndList(t *testing.T) { + tool := newTestTool(t) + + a, err := tool.db.CreateAccount("roleuser", model.AccountTypeHuman, "hash") + if err != nil { + t.Fatalf("create account: %v", err) + } + + captureStdout(t, func() { + tool.roleGrant([]string{"--id", a.UUID, "--role", "admin"}) + }) + + roles, err := tool.db.GetRoles(a.ID) + if err != nil { + t.Fatalf("get roles: %v", err) + } + if len(roles) != 1 || roles[0] != "admin" { + t.Errorf("expected [admin], got %v", roles) + } + + out := captureStdout(t, func() { + tool.roleList([]string{"--id", a.UUID}) + }) + if !strings.Contains(out, "admin") { + t.Errorf("expected 'admin' in role list, got: %s", out) + } +} + +func TestRoleRevoke(t *testing.T) { + tool := newTestTool(t) + + a, err := tool.db.CreateAccount("revokeuser", model.AccountTypeHuman, "hash") + if err != nil { + t.Fatalf("create account: %v", err) + } + + if err := tool.db.GrantRole(a.ID, "editor", nil); err != nil { + t.Fatalf("grant role: %v", err) + } + + captureStdout(t, func() { + tool.roleRevoke([]string{"--id", a.UUID, "--role", "editor"}) + }) + + roles, err := tool.db.GetRoles(a.ID) + if err != nil { + t.Fatalf("get roles after revoke: %v", err) + } + if len(roles) != 0 { + t.Errorf("expected no roles after revoke, got %v", roles) + } +} + +// ---- token tests ---- + +func TestTokenListAndRevoke(t *testing.T) { + tool := newTestTool(t) + + a, err := tool.db.CreateAccount("tokenuser", model.AccountTypeHuman, "hash") + if err != nil { + t.Fatalf("create account: %v", err) + } + + now := time.Now().UTC() + if err := tool.db.TrackToken("test-jti-1", a.ID, now, now.Add(time.Hour)); err != nil { + t.Fatalf("track token: %v", err) + } + + out := captureStdout(t, func() { + tool.tokenList([]string{"--id", a.UUID}) + }) + if !strings.Contains(out, "test-jti-1") { + t.Errorf("expected jti in token list, got: %s", out) + } + + captureStdout(t, func() { + tool.tokenRevoke([]string{"--jti", "test-jti-1"}) + }) + + rec, err := tool.db.GetTokenRecord("test-jti-1") + if err != nil { + t.Fatalf("get token record: %v", err) + } + if rec.RevokedAt == nil { + t.Error("expected token to be revoked") + } +} + +func TestTokenRevokeAll(t *testing.T) { + tool := newTestTool(t) + + a, err := tool.db.CreateAccount("revokealluser", model.AccountTypeHuman, "hash") + if err != nil { + t.Fatalf("create account: %v", err) + } + + now := time.Now().UTC() + for i := 0; i < 3; i++ { + jti := fmt.Sprintf("bulk-jti-%d", i) + if err := tool.db.TrackToken(jti, a.ID, now, now.Add(time.Hour)); err != nil { + t.Fatalf("track token %d: %v", i, err) + } + } + + captureStdout(t, func() { + tool.tokenRevokeAll([]string{"--id", a.UUID}) + }) + + // Verify all tokens are revoked. + records, err := tool.db.ListTokensForAccount(a.ID) + if err != nil { + t.Fatalf("list tokens: %v", err) + } + for _, r := range records { + if r.RevokedAt == nil { + t.Errorf("token %s should be revoked", r.JTI) + } + } +} + +func TestPruneTokens(t *testing.T) { + tool := newTestTool(t) + + a, err := tool.db.CreateAccount("pruneuser", model.AccountTypeHuman, "hash") + if err != nil { + t.Fatalf("create account: %v", err) + } + + past := time.Now().Add(-2 * time.Hour).UTC() + future := time.Now().Add(time.Hour).UTC() + + if err := tool.db.TrackToken("expired-jti", a.ID, past, past.Add(time.Minute)); err != nil { + t.Fatalf("track expired token: %v", err) + } + if err := tool.db.TrackToken("valid-jti", a.ID, future.Add(-time.Minute), future); err != nil { + t.Fatalf("track valid token: %v", err) + } + + out := captureStdout(t, tool.pruneTokens) + if !strings.Contains(out, "1") { + t.Errorf("expected 1 pruned in output, got: %s", out) + } + + // Valid token should still exist. + if _, err := tool.db.GetTokenRecord("valid-jti"); err != nil { + t.Errorf("valid token should survive pruning: %v", err) + } +} + +// ---- audit tests ---- + +func TestAuditTail(t *testing.T) { + tool := newTestTool(t) + + a, err := tool.db.CreateAccount("audituser", model.AccountTypeHuman, "hash") + if err != nil { + t.Fatalf("create account: %v", err) + } + + for i := 0; i < 5; i++ { + if err := tool.db.WriteAuditEvent(model.EventLoginOK, &a.ID, nil, "", ""); err != nil { + t.Fatalf("write audit event: %v", err) + } + } + + out := captureStdout(t, func() { + tool.auditTail([]string{"--n", "3"}) + }) + // Output should contain the event type. + if !strings.Contains(out, "login_ok") { + t.Errorf("expected login_ok in tail output, got: %s", out) + } +} + +func TestAuditQueryByType(t *testing.T) { + tool := newTestTool(t) + + a, err := tool.db.CreateAccount("auditquery", model.AccountTypeHuman, "hash") + if err != nil { + t.Fatalf("create account: %v", err) + } + + if err := tool.db.WriteAuditEvent(model.EventLoginOK, &a.ID, nil, "", ""); err != nil { + t.Fatalf("write login_ok: %v", err) + } + if err := tool.db.WriteAuditEvent(model.EventLoginFail, &a.ID, nil, "", ""); err != nil { + t.Fatalf("write login_fail: %v", err) + } + + out := captureStdout(t, func() { + tool.auditQuery([]string{"--type", "login_fail"}) + }) + if !strings.Contains(out, "login_fail") { + t.Errorf("expected login_fail in query output, got: %s", out) + } + if strings.Contains(out, "login_ok") { + t.Errorf("unexpected login_ok in filtered query output, got: %s", out) + } +} + +func TestAuditQueryJSON(t *testing.T) { + tool := newTestTool(t) + + a, err := tool.db.CreateAccount("jsonaudit", model.AccountTypeHuman, "hash") + if err != nil { + t.Fatalf("create account: %v", err) + } + if err := tool.db.WriteAuditEvent(model.EventLoginOK, &a.ID, nil, "", ""); err != nil { + t.Fatalf("write event: %v", err) + } + + out := captureStdout(t, func() { + tool.auditQuery([]string{"--json"}) + }) + if !strings.Contains(out, `"event_type"`) { + t.Errorf("expected JSON output with event_type, got: %s", out) + } +} + +// ---- pgcreds tests ---- + +func TestPGCredsSetAndGet(t *testing.T) { + tool := newTestTool(t) + + a, err := tool.db.CreateAccount("pguser", model.AccountTypeSystem, "") + if err != nil { + t.Fatalf("create account: %v", err) + } + + // Encrypt and store credentials directly using the tool's master key. + password := "s3cr3t-pg-pass" + enc, nonce, err := crypto.SealAESGCM(tool.masterKey, []byte(password)) + if err != nil { + t.Fatalf("seal pgcreds: %v", err) + } + if err := tool.db.WritePGCredentials(a.ID, "db.example.com", 5432, "mydb", "myuser", enc, nonce); err != nil { + t.Fatalf("write pg credentials: %v", err) + } + + // pgCredsGet calls pgCredsGet which calls fatalf if decryption fails. + // We test round-trip via DB + crypto directly. + cred, err := tool.db.ReadPGCredentials(a.ID) + if err != nil { + t.Fatalf("read pg credentials: %v", err) + } + plaintext, err := crypto.OpenAESGCM(tool.masterKey, cred.PGPasswordNonce, cred.PGPasswordEnc) + if err != nil { + t.Fatalf("decrypt pg password: %v", err) + } + if string(plaintext) != password { + t.Errorf("expected password %q, got %q", password, string(plaintext)) + } +} + +func TestPGCredsGetNotFound(t *testing.T) { + tool := newTestTool(t) + + a, err := tool.db.CreateAccount("nopguser", model.AccountTypeSystem, "") + if err != nil { + t.Fatalf("create account: %v", err) + } + + // ReadPGCredentials for account with no credentials should return ErrNotFound. + _, err = tool.db.ReadPGCredentials(a.ID) + if err == nil { + t.Fatal("expected ErrNotFound, got nil") + } +} diff --git a/cmd/mciasdb/pgcreds.go b/cmd/mciasdb/pgcreds.go new file mode 100644 index 0000000..ee6d8ad --- /dev/null +++ b/cmd/mciasdb/pgcreds.go @@ -0,0 +1,127 @@ +package main + +import ( + "errors" + "flag" + "fmt" + "os" + + "git.wntrmute.dev/kyle/mcias/internal/crypto" + "git.wntrmute.dev/kyle/mcias/internal/db" +) + +func (t *tool) runPGCreds(args []string) { + if len(args) == 0 { + fatalf("pgcreds requires a subcommand: get, set") + } + switch args[0] { + case "get": + t.pgCredsGet(args[1:]) + case "set": + t.pgCredsSet(args[1:]) + default: + fatalf("unknown pgcreds subcommand %q", args[0]) + } +} + +// pgCredsGet decrypts and prints Postgres credentials for an account. +// A warning is printed before the output to remind the operator that +// the password is sensitive and must not be logged. +// +// Security: Credentials are decrypted in-memory using the master key and +// printed directly to stdout. The operator is responsible for ensuring the +// terminal output is not captured in logs. The plaintext password is never +// written to disk. +func (t *tool) pgCredsGet(args []string) { + fs := flag.NewFlagSet("pgcreds get", flag.ExitOnError) + id := fs.String("id", "", "account UUID (required)") + _ = fs.Parse(args) + + if *id == "" { + fatalf("pgcreds get: --id is required") + } + + a, err := t.db.GetAccountByUUID(*id) + if err != nil { + fatalf("get account: %v", err) + } + + cred, err := t.db.ReadPGCredentials(a.ID) + if errors.Is(err, db.ErrNotFound) { + fatalf("no Postgres credentials stored for account %s", a.Username) + } + if err != nil { + fatalf("read pg credentials: %v", err) + } + + // Decrypt the password. + // Security: AES-256-GCM decryption; any tampering with the ciphertext or + // nonce will cause decryption to fail with an authentication error. + plaintext, err := crypto.OpenAESGCM(t.masterKey, cred.PGPasswordNonce, cred.PGPasswordEnc) + if err != nil { + fatalf("decrypt pg password: %v", err) + } + + if err := t.db.WriteAuditEvent("pgcred_accessed", nil, &a.ID, "", `{"actor":"mciasdb"}`); err != nil { + fmt.Fprintf(os.Stderr, "warning: write audit event: %v\n", err) + } + + // Print warning before sensitive output. + fmt.Fprintln(os.Stderr, "WARNING: output below contains a plaintext password. Do not log or share.") + fmt.Printf("Host: %s\n", cred.PGHost) + fmt.Printf("Port: %d\n", cred.PGPort) + fmt.Printf("Database: %s\n", cred.PGDatabase) + fmt.Printf("Username: %s\n", cred.PGUsername) + fmt.Printf("Password: %s\n", string(plaintext)) +} + +// pgCredsSet prompts for a Postgres password interactively, encrypts it with +// AES-256-GCM, and stores the credentials for the given account. +// +// Security: No --password flag is provided to prevent the password from +// appearing in shell history or process listings. Encryption uses a fresh +// random nonce each time. +func (t *tool) pgCredsSet(args []string) { + fs := flag.NewFlagSet("pgcreds set", flag.ExitOnError) + id := fs.String("id", "", "account UUID (required)") + host := fs.String("host", "", "Postgres host (required)") + port := fs.Int("port", 5432, "Postgres port") + dbName := fs.String("db", "", "Postgres database name (required)") + username := fs.String("user", "", "Postgres username (required)") + _ = fs.Parse(args) + + if *id == "" || *host == "" || *dbName == "" || *username == "" { + fatalf("pgcreds set: --id, --host, --db, and --user are required") + } + + a, err := t.db.GetAccountByUUID(*id) + if err != nil { + fatalf("get account: %v", err) + } + + password, err := readPassword("Postgres password: ") + if err != nil { + fatalf("read password: %v", err) + } + if password == "" { + fatalf("password must not be empty") + } + + // Encrypt the password at rest. + // Security: AES-256-GCM with a fresh random nonce ensures ciphertext + // uniqueness even if the same password is stored multiple times. + enc, nonce, err := crypto.SealAESGCM(t.masterKey, []byte(password)) + if err != nil { + fatalf("encrypt pg password: %v", err) + } + + if err := t.db.WritePGCredentials(a.ID, *host, *port, *dbName, *username, enc, nonce); err != nil { + fatalf("write pg credentials: %v", err) + } + + if err := t.db.WriteAuditEvent("pgcred_updated", nil, &a.ID, "", `{"actor":"mciasdb"}`); err != nil { + fmt.Fprintf(os.Stderr, "warning: write audit event: %v\n", err) + } + + fmt.Printf("Postgres credentials stored for account %s\n", a.Username) +} diff --git a/cmd/mciasdb/role.go b/cmd/mciasdb/role.go new file mode 100644 index 0000000..c9c1159 --- /dev/null +++ b/cmd/mciasdb/role.go @@ -0,0 +1,112 @@ +package main + +import ( + "flag" + "fmt" + "os" + "strings" +) + +func (t *tool) runRole(args []string) { + if len(args) == 0 { + fatalf("role requires a subcommand: list, grant, revoke") + } + switch args[0] { + case "list": + t.roleList(args[1:]) + case "grant": + t.roleGrant(args[1:]) + case "revoke": + t.roleRevoke(args[1:]) + default: + fatalf("unknown role subcommand %q", args[0]) + } +} + +func (t *tool) roleList(args []string) { + fs := flag.NewFlagSet("role list", flag.ExitOnError) + id := fs.String("id", "", "account UUID (required)") + _ = fs.Parse(args) + + if *id == "" { + fatalf("role list: --id is required") + } + + a, err := t.db.GetAccountByUUID(*id) + if err != nil { + fatalf("get account: %v", err) + } + + roles, err := t.db.GetRoles(a.ID) + if err != nil { + fatalf("get roles: %v", err) + } + + if len(roles) == 0 { + fmt.Printf("account %s has no roles\n", a.Username) + return + } + fmt.Printf("roles for %s (%s):\n", a.Username, a.UUID) + for _, r := range roles { + fmt.Printf(" %s\n", r) + } +} + +func (t *tool) roleGrant(args []string) { + fs := flag.NewFlagSet("role grant", flag.ExitOnError) + id := fs.String("id", "", "account UUID (required)") + role := fs.String("role", "", "role to grant (required)") + _ = fs.Parse(args) + + if *id == "" { + fatalf("role grant: --id is required") + } + if *role == "" { + fatalf("role grant: --role is required") + } + *role = strings.TrimSpace(*role) + + a, err := t.db.GetAccountByUUID(*id) + if err != nil { + fatalf("get account: %v", err) + } + + if err := t.db.GrantRole(a.ID, *role, nil); err != nil { + fatalf("grant role: %v", err) + } + + if err := t.db.WriteAuditEvent("role_granted", nil, &a.ID, "", fmt.Sprintf(`{"actor":"mciasdb","role":%q}`, *role)); err != nil { + fmt.Fprintf(os.Stderr, "warning: write audit event: %v\n", err) + } + + fmt.Printf("granted role %q to account %s\n", *role, a.Username) +} + +func (t *tool) roleRevoke(args []string) { + fs := flag.NewFlagSet("role revoke", flag.ExitOnError) + id := fs.String("id", "", "account UUID (required)") + role := fs.String("role", "", "role to revoke (required)") + _ = fs.Parse(args) + + if *id == "" { + fatalf("role revoke: --id is required") + } + if *role == "" { + fatalf("role revoke: --role is required") + } + + a, err := t.db.GetAccountByUUID(*id) + if err != nil { + fatalf("get account: %v", err) + } + + if err := t.db.RevokeRole(a.ID, *role); err != nil { + fatalf("revoke role: %v", err) + } + + if err := t.db.WriteAuditEvent("role_revoked", nil, &a.ID, "", fmt.Sprintf(`{"actor":"mciasdb","role":%q}`, *role)); err != nil { + fmt.Fprintf(os.Stderr, "warning: write audit event: %v\n", err) + } + + fmt.Printf("revoked role %q from account %s\n", *role, a.Username) +} diff --git a/cmd/mciasdb/schema.go b/cmd/mciasdb/schema.go new file mode 100644 index 0000000..f5ace9a --- /dev/null +++ b/cmd/mciasdb/schema.go @@ -0,0 +1,63 @@ +package main + +import ( + "fmt" + + "git.wntrmute.dev/kyle/mcias/internal/db" +) + +func (t *tool) runSchema(args []string) { + if len(args) == 0 { + fatalf("schema requires a subcommand: verify, migrate") + } + switch args[0] { + case "verify": + t.schemaVerify() + case "migrate": + t.schemaMigrate() + default: + fatalf("unknown schema subcommand %q", args[0]) + } +} + +// schemaVerify reports the current schema version and exits 1 if migrations +// are pending, 0 if the database is up-to-date. +func (t *tool) schemaVerify() { + version, err := db.SchemaVersion(t.db) + if err != nil { + fatalf("get schema version: %v", err) + } + latest := db.LatestSchemaVersion + fmt.Printf("schema version: %d (latest: %d)\n", version, latest) + if version < latest { + fmt.Printf("%d migration(s) pending\n", latest-version) + // Exit 1 to signal that migrations are needed (useful in scripts). + // We call os.Exit directly rather than fatalf to avoid printing "mciasdb: ". + fmt.Println("run 'mciasdb schema migrate' to apply pending migrations") + exitCode1() + } + fmt.Println("schema is up-to-date") +} + +// schemaMigrate applies any pending migrations and reports each one. +func (t *tool) schemaMigrate() { + before, err := db.SchemaVersion(t.db) + if err != nil { + fatalf("get schema version: %v", err) + } + + if err := db.Migrate(t.db); err != nil { + fatalf("migrate: %v", err) + } + + after, err := db.SchemaVersion(t.db) + if err != nil { + fatalf("get schema version after migrate: %v", err) + } + + if before == after { + fmt.Println("no migrations needed; schema is already up-to-date") + return + } + fmt.Printf("migrated schema from version %d to %d\n", before, after) +} diff --git a/cmd/mciasdb/token.go b/cmd/mciasdb/token.go new file mode 100644 index 0000000..5748be0 --- /dev/null +++ b/cmd/mciasdb/token.go @@ -0,0 +1,130 @@ +package main + +import ( + "flag" + "fmt" + "os" + "strings" +) + +func (t *tool) runToken(args []string) { + if len(args) == 0 { + fatalf("token requires a subcommand: list, revoke, revoke-all") + } + switch args[0] { + case "list": + t.tokenList(args[1:]) + case "revoke": + t.tokenRevoke(args[1:]) + case "revoke-all": + t.tokenRevokeAll(args[1:]) + default: + fatalf("unknown token subcommand %q", args[0]) + } +} + +func (t *tool) runPrune(args []string) { + if len(args) == 0 { + fatalf("prune requires a subcommand: tokens") + } + switch args[0] { + case "tokens": + t.pruneTokens() + default: + fatalf("unknown prune subcommand %q", args[0]) + } +} + +func (t *tool) tokenList(args []string) { + fs := flag.NewFlagSet("token list", flag.ExitOnError) + id := fs.String("id", "", "account UUID (required)") + _ = fs.Parse(args) + + if *id == "" { + fatalf("token list: --id is required") + } + + a, err := t.db.GetAccountByUUID(*id) + if err != nil { + fatalf("get account: %v", err) + } + + records, err := t.db.ListTokensForAccount(a.ID) + if err != nil { + fatalf("list tokens: %v", err) + } + + if len(records) == 0 { + fmt.Printf("no token records for account %s\n", a.Username) + return + } + + fmt.Printf("tokens for %s (%s):\n", a.Username, a.UUID) + fmt.Printf("%-36s %-20s %-20s %-20s\n", "JTI", "ISSUED AT", "EXPIRES AT", "REVOKED AT") + fmt.Println(strings.Repeat("-", 100)) + for _, r := range records { + revokedAt := "-" + if r.RevokedAt != nil { + revokedAt = r.RevokedAt.Format("2006-01-02T15:04:05Z") + } + fmt.Printf("%-36s %-20s %-20s %-20s\n", + r.JTI, + r.IssuedAt.Format("2006-01-02T15:04:05Z"), + r.ExpiresAt.Format("2006-01-02T15:04:05Z"), + revokedAt, + ) + } +} + +func (t *tool) tokenRevoke(args []string) { + fs := flag.NewFlagSet("token revoke", flag.ExitOnError) + jti := fs.String("jti", "", "JTI of the token to revoke (required)") + _ = fs.Parse(args) + + if *jti == "" { + fatalf("token revoke: --jti is required") + } + + if err := t.db.RevokeToken(*jti, "mciasdb"); err != nil { + fatalf("revoke token: %v", err) + } + + if err := t.db.WriteAuditEvent("token_revoked", nil, nil, "", fmt.Sprintf(`{"actor":"mciasdb","jti":%q}`, *jti)); err != nil { + fmt.Fprintf(os.Stderr, "warning: write audit event: %v\n", err) + } + + fmt.Printf("token %s revoked\n", *jti) +} + +func (t *tool) tokenRevokeAll(args []string) { + fs := flag.NewFlagSet("token revoke-all", flag.ExitOnError) + id := fs.String("id", "", "account UUID (required)") + _ = fs.Parse(args) + + if *id == "" { + fatalf("token revoke-all: --id is required") + } + + a, err := t.db.GetAccountByUUID(*id) + if err != nil { + fatalf("get account: %v", err) + } + + if err := t.db.RevokeAllUserTokens(a.ID, "mciasdb"); err != nil { + fatalf("revoke all tokens: %v", err) + } + + if err := t.db.WriteAuditEvent("token_revoked", nil, &a.ID, "", `{"actor":"mciasdb","action":"revoke_all"}`); err != nil { + fmt.Fprintf(os.Stderr, "warning: write audit event: %v\n", err) + } + + fmt.Printf("all active tokens revoked for account %s\n", a.Username) +} + +func (t *tool) pruneTokens() { + count, err := t.db.PruneExpiredTokens() + if err != nil { + fatalf("prune expired tokens: %v", err) + } + fmt.Printf("pruned %d expired token record(s)\n", count) +} diff --git a/cmd/mciasgrpcctl/main.go b/cmd/mciasgrpcctl/main.go new file mode 100644 index 0000000..c44d495 --- /dev/null +++ b/cmd/mciasgrpcctl/main.go @@ -0,0 +1,602 @@ +// Command mciasgrpcctl is the MCIAS gRPC admin CLI. +// +// It connects to a running mciassrv gRPC listener and provides subcommands for +// managing accounts, roles, tokens, and Postgres credentials via the gRPC API. +// +// Usage: +// +// mciasgrpcctl [global flags] [args] +// +// Global flags: +// +// -server gRPC server address (default: localhost:9443) +// -token Bearer token for authentication (or set MCIAS_TOKEN env var) +// -cacert Path to CA certificate for TLS verification (optional) +// +// Commands: +// +// health +// pubkey +// +// account list +// account create -username NAME -password PASS [-type human|system] +// account get -id UUID +// account update -id UUID -status active|inactive +// account delete -id UUID +// +// role list -id UUID +// role set -id UUID -roles role1,role2,... +// +// token validate -token TOKEN +// token issue -id UUID +// token revoke -jti JTI +// +// pgcreds get -id UUID +// pgcreds set -id UUID -host HOST [-port PORT] -db DB -user USER -password PASS +package main + +import ( + "context" + "crypto/tls" + "crypto/x509" + "encoding/json" + "flag" + "fmt" + "os" + "strings" + "time" + + "google.golang.org/grpc" + "google.golang.org/grpc/credentials" + "google.golang.org/grpc/metadata" + + mciasv1 "git.wntrmute.dev/kyle/mcias/gen/mcias/v1" +) + +func main() { + // Global flags. + serverAddr := flag.String("server", "localhost:9443", "gRPC server address (host:port)") + tokenFlag := flag.String("token", "", "bearer token (or set MCIAS_TOKEN)") + caCert := flag.String("cacert", "", "path to CA certificate for TLS") + flag.Usage = usage + flag.Parse() + + // Resolve token from flag or environment. + bearerToken := *tokenFlag + if bearerToken == "" { + bearerToken = os.Getenv("MCIAS_TOKEN") + } + + args := flag.Args() + if len(args) == 0 { + usage() + os.Exit(1) + } + + // Build gRPC connection. + conn, err := newGRPCConn(*serverAddr, *caCert) + if err != nil { + fatalf("connect to gRPC server: %v", err) + } + defer func() { _ = conn.Close() }() + + ctl := &controller{ + conn: conn, + token: bearerToken, + } + + command := args[0] + subArgs := args[1:] + + switch command { + case "health": + ctl.runHealth() + case "pubkey": + ctl.runPubKey() + case "account": + ctl.runAccount(subArgs) + case "role": + ctl.runRole(subArgs) + case "token": + ctl.runToken(subArgs) + case "pgcreds": + ctl.runPGCreds(subArgs) + default: + fatalf("unknown command %q; run with no args to see usage", command) + } +} + +// controller holds the shared gRPC connection and token for all subcommands. +type controller struct { + conn *grpc.ClientConn + token string +} + +// authCtx returns a context with the Bearer token injected as gRPC metadata. +// Security: token is placed in the "authorization" key per the gRPC convention +// that mirrors the HTTP Authorization header. Value is never logged. +func (c *controller) authCtx() context.Context { + ctx := context.Background() + if c.token == "" { + return ctx + } + // Security: metadata key "authorization" matches the server-side + // extractBearerFromMD expectation; value is "Bearer ". + return metadata.AppendToOutgoingContext(ctx, "authorization", "Bearer "+c.token) +} + +// callCtx returns an authCtx with a 30-second deadline. +func (c *controller) callCtx() (context.Context, context.CancelFunc) { + return context.WithTimeout(c.authCtx(), 30*time.Second) +} + +// ---- health / pubkey ---- + +func (c *controller) runHealth() { + adminCl := mciasv1.NewAdminServiceClient(c.conn) + ctx, cancel := c.callCtx() + defer cancel() + + resp, err := adminCl.Health(ctx, &mciasv1.HealthRequest{}) + if err != nil { + fatalf("health: %v", err) + } + printJSON(map[string]string{"status": resp.Status}) +} + +func (c *controller) runPubKey() { + adminCl := mciasv1.NewAdminServiceClient(c.conn) + ctx, cancel := c.callCtx() + defer cancel() + + resp, err := adminCl.GetPublicKey(ctx, &mciasv1.GetPublicKeyRequest{}) + if err != nil { + fatalf("pubkey: %v", err) + } + printJSON(map[string]string{ + "kty": resp.Kty, + "crv": resp.Crv, + "use": resp.Use, + "alg": resp.Alg, + "x": resp.X, + }) +} + +// ---- account subcommands ---- + +func (c *controller) runAccount(args []string) { + if len(args) == 0 { + fatalf("account requires a subcommand: list, create, get, update, delete") + } + switch args[0] { + case "list": + c.accountList() + case "create": + c.accountCreate(args[1:]) + case "get": + c.accountGet(args[1:]) + case "update": + c.accountUpdate(args[1:]) + case "delete": + c.accountDelete(args[1:]) + default: + fatalf("unknown account subcommand %q", args[0]) + } +} + +func (c *controller) accountList() { + cl := mciasv1.NewAccountServiceClient(c.conn) + ctx, cancel := c.callCtx() + defer cancel() + + resp, err := cl.ListAccounts(ctx, &mciasv1.ListAccountsRequest{}) + if err != nil { + fatalf("account list: %v", err) + } + printJSON(resp.Accounts) +} + +func (c *controller) accountCreate(args []string) { + fs := flag.NewFlagSet("account create", flag.ExitOnError) + username := fs.String("username", "", "username (required)") + password := fs.String("password", "", "password (required for human accounts)") + accountType := fs.String("type", "human", "account type: human or system") + _ = fs.Parse(args) + + if *username == "" { + fatalf("account create: -username is required") + } + + cl := mciasv1.NewAccountServiceClient(c.conn) + ctx, cancel := c.callCtx() + defer cancel() + + resp, err := cl.CreateAccount(ctx, &mciasv1.CreateAccountRequest{ + Username: *username, + Password: *password, + AccountType: *accountType, + }) + if err != nil { + fatalf("account create: %v", err) + } + printJSON(resp.Account) +} + +func (c *controller) accountGet(args []string) { + fs := flag.NewFlagSet("account get", flag.ExitOnError) + id := fs.String("id", "", "account UUID (required)") + _ = fs.Parse(args) + + if *id == "" { + fatalf("account get: -id is required") + } + + cl := mciasv1.NewAccountServiceClient(c.conn) + ctx, cancel := c.callCtx() + defer cancel() + + resp, err := cl.GetAccount(ctx, &mciasv1.GetAccountRequest{Id: *id}) + if err != nil { + fatalf("account get: %v", err) + } + printJSON(resp.Account) +} + +func (c *controller) accountUpdate(args []string) { + fs := flag.NewFlagSet("account update", flag.ExitOnError) + id := fs.String("id", "", "account UUID (required)") + status := fs.String("status", "", "new status: active or inactive (required)") + _ = fs.Parse(args) + + if *id == "" { + fatalf("account update: -id is required") + } + if *status == "" { + fatalf("account update: -status is required") + } + + cl := mciasv1.NewAccountServiceClient(c.conn) + ctx, cancel := c.callCtx() + defer cancel() + + _, err := cl.UpdateAccount(ctx, &mciasv1.UpdateAccountRequest{ + Id: *id, + Status: *status, + }) + if err != nil { + fatalf("account update: %v", err) + } + fmt.Println("account updated") +} + +func (c *controller) accountDelete(args []string) { + fs := flag.NewFlagSet("account delete", flag.ExitOnError) + id := fs.String("id", "", "account UUID (required)") + _ = fs.Parse(args) + + if *id == "" { + fatalf("account delete: -id is required") + } + + cl := mciasv1.NewAccountServiceClient(c.conn) + ctx, cancel := c.callCtx() + defer cancel() + + _, err := cl.DeleteAccount(ctx, &mciasv1.DeleteAccountRequest{Id: *id}) + if err != nil { + fatalf("account delete: %v", err) + } + fmt.Println("account deleted") +} + +// ---- role subcommands ---- + +func (c *controller) runRole(args []string) { + if len(args) == 0 { + fatalf("role requires a subcommand: list, set") + } + switch args[0] { + case "list": + c.roleList(args[1:]) + case "set": + c.roleSet(args[1:]) + default: + fatalf("unknown role subcommand %q", args[0]) + } +} + +func (c *controller) roleList(args []string) { + fs := flag.NewFlagSet("role list", flag.ExitOnError) + id := fs.String("id", "", "account UUID (required)") + _ = fs.Parse(args) + + if *id == "" { + fatalf("role list: -id is required") + } + + cl := mciasv1.NewAccountServiceClient(c.conn) + ctx, cancel := c.callCtx() + defer cancel() + + resp, err := cl.GetRoles(ctx, &mciasv1.GetRolesRequest{Id: *id}) + if err != nil { + fatalf("role list: %v", err) + } + printJSON(resp.Roles) +} + +func (c *controller) roleSet(args []string) { + fs := flag.NewFlagSet("role set", flag.ExitOnError) + id := fs.String("id", "", "account UUID (required)") + rolesFlag := fs.String("roles", "", "comma-separated list of roles") + _ = fs.Parse(args) + + if *id == "" { + fatalf("role set: -id is required") + } + + var roles []string + if *rolesFlag != "" { + for _, r := range strings.Split(*rolesFlag, ",") { + r = strings.TrimSpace(r) + if r != "" { + roles = append(roles, r) + } + } + } + + cl := mciasv1.NewAccountServiceClient(c.conn) + ctx, cancel := c.callCtx() + defer cancel() + + _, err := cl.SetRoles(ctx, &mciasv1.SetRolesRequest{Id: *id, Roles: roles}) + if err != nil { + fatalf("role set: %v", err) + } + fmt.Printf("roles set: %v\n", roles) +} + +// ---- token subcommands ---- + +func (c *controller) runToken(args []string) { + if len(args) == 0 { + fatalf("token requires a subcommand: validate, issue, revoke") + } + switch args[0] { + case "validate": + c.tokenValidate(args[1:]) + case "issue": + c.tokenIssue(args[1:]) + case "revoke": + c.tokenRevoke(args[1:]) + default: + fatalf("unknown token subcommand %q", args[0]) + } +} + +func (c *controller) tokenValidate(args []string) { + fs := flag.NewFlagSet("token validate", flag.ExitOnError) + tok := fs.String("token", "", "JWT to validate (required)") + _ = fs.Parse(args) + + if *tok == "" { + fatalf("token validate: -token is required") + } + + cl := mciasv1.NewTokenServiceClient(c.conn) + // ValidateToken is public — no auth context needed. + ctx, cancel := context.WithTimeout(context.Background(), 30*time.Second) + defer cancel() + + resp, err := cl.ValidateToken(ctx, &mciasv1.ValidateTokenRequest{Token: *tok}) + if err != nil { + fatalf("token validate: %v", err) + } + printJSON(map[string]interface{}{ + "valid": resp.Valid, + "subject": resp.Subject, + "roles": resp.Roles, + }) +} + +func (c *controller) tokenIssue(args []string) { + fs := flag.NewFlagSet("token issue", flag.ExitOnError) + id := fs.String("id", "", "system account UUID (required)") + _ = fs.Parse(args) + + if *id == "" { + fatalf("token issue: -id is required") + } + + cl := mciasv1.NewTokenServiceClient(c.conn) + ctx, cancel := c.callCtx() + defer cancel() + + resp, err := cl.IssueServiceToken(ctx, &mciasv1.IssueServiceTokenRequest{AccountId: *id}) + if err != nil { + fatalf("token issue: %v", err) + } + printJSON(map[string]string{"token": resp.Token}) +} + +func (c *controller) tokenRevoke(args []string) { + fs := flag.NewFlagSet("token revoke", flag.ExitOnError) + jti := fs.String("jti", "", "JTI of the token to revoke (required)") + _ = fs.Parse(args) + + if *jti == "" { + fatalf("token revoke: -jti is required") + } + + cl := mciasv1.NewTokenServiceClient(c.conn) + ctx, cancel := c.callCtx() + defer cancel() + + _, err := cl.RevokeToken(ctx, &mciasv1.RevokeTokenRequest{Jti: *jti}) + if err != nil { + fatalf("token revoke: %v", err) + } + fmt.Println("token revoked") +} + +// ---- pgcreds subcommands ---- + +func (c *controller) runPGCreds(args []string) { + if len(args) == 0 { + fatalf("pgcreds requires a subcommand: get, set") + } + switch args[0] { + case "get": + c.pgCredsGet(args[1:]) + case "set": + c.pgCredsSet(args[1:]) + default: + fatalf("unknown pgcreds subcommand %q", args[0]) + } +} + +func (c *controller) pgCredsGet(args []string) { + fs := flag.NewFlagSet("pgcreds get", flag.ExitOnError) + id := fs.String("id", "", "account UUID (required)") + _ = fs.Parse(args) + + if *id == "" { + fatalf("pgcreds get: -id is required") + } + + cl := mciasv1.NewCredentialServiceClient(c.conn) + ctx, cancel := c.callCtx() + defer cancel() + + resp, err := cl.GetPGCreds(ctx, &mciasv1.GetPGCredsRequest{Id: *id}) + if err != nil { + fatalf("pgcreds get: %v", err) + } + if resp.Creds == nil { + fatalf("pgcreds get: no credentials returned") + } + printJSON(map[string]interface{}{ + "host": resp.Creds.Host, + "port": resp.Creds.Port, + "database": resp.Creds.Database, + "username": resp.Creds.Username, + "password": resp.Creds.Password, + }) +} + +func (c *controller) pgCredsSet(args []string) { + fs := flag.NewFlagSet("pgcreds set", flag.ExitOnError) + id := fs.String("id", "", "account UUID (required)") + host := fs.String("host", "", "Postgres host (required)") + port := fs.Int("port", 5432, "Postgres port") + dbName := fs.String("db", "", "Postgres database name (required)") + username := fs.String("user", "", "Postgres username (required)") + password := fs.String("password", "", "Postgres password (required)") + _ = fs.Parse(args) + + if *id == "" || *host == "" || *dbName == "" || *username == "" || *password == "" { + fatalf("pgcreds set: -id, -host, -db, -user, and -password are required") + } + + cl := mciasv1.NewCredentialServiceClient(c.conn) + ctx, cancel := c.callCtx() + defer cancel() + + _, err := cl.SetPGCreds(ctx, &mciasv1.SetPGCredsRequest{ + Id: *id, + Creds: &mciasv1.PGCreds{ + Host: *host, + Port: int32(*port), + Database: *dbName, + Username: *username, + Password: *password, + }, + }) + if err != nil { + fatalf("pgcreds set: %v", err) + } + fmt.Println("credentials stored") +} + +// ---- gRPC connection ---- + +// newGRPCConn dials the gRPC server with TLS. +// If caCertPath is empty, the system CA pool is used. +// Security: TLS 1.2+ is enforced by the crypto/tls defaults on the client side. +// The connection is insecure-skip-verify-free; operators can supply a custom CA +// for self-signed certs without disabling certificate validation. +func newGRPCConn(serverAddr, caCertPath string) (*grpc.ClientConn, error) { + tlsCfg := &tls.Config{ + MinVersion: tls.VersionTLS12, + } + + if caCertPath != "" { + // G304: path comes from a CLI flag supplied by the operator, not + // from untrusted input. File inclusion is intentional. + pemData, err := os.ReadFile(caCertPath) //nolint:gosec + if err != nil { + return nil, fmt.Errorf("read CA cert: %w", err) + } + pool := x509.NewCertPool() + if !pool.AppendCertsFromPEM(pemData) { + return nil, fmt.Errorf("no valid certificates found in %s", caCertPath) + } + tlsCfg.RootCAs = pool + } + + creds := credentials.NewTLS(tlsCfg) + conn, err := grpc.NewClient(serverAddr, grpc.WithTransportCredentials(creds)) + if err != nil { + return nil, fmt.Errorf("dial %s: %w", serverAddr, err) + } + return conn, nil +} + +// ---- helpers ---- + +// printJSON pretty-prints a value as JSON to stdout. +func printJSON(v interface{}) { + enc := json.NewEncoder(os.Stdout) + enc.SetIndent("", " ") + if err := enc.Encode(v); err != nil { + fatalf("encode output: %v", err) + } +} + +// fatalf prints an error message to stderr and exits with code 1. +func fatalf(format string, args ...interface{}) { + fmt.Fprintf(os.Stderr, "mciasgrpcctl: "+format+"\n", args...) + os.Exit(1) +} + +func usage() { + fmt.Fprintf(os.Stderr, `mciasgrpcctl - MCIAS gRPC admin CLI + +Usage: mciasgrpcctl [global flags] [args] + +Global flags: + -server gRPC server address (default: localhost:9443) + -token Bearer token (or set MCIAS_TOKEN env var) + -cacert Path to CA certificate for TLS verification + +Commands: + health + pubkey + + account list + account create -username NAME -password PASS [-type human|system] + account get -id UUID + account update -id UUID -status active|inactive + account delete -id UUID + + role list -id UUID + role set -id UUID -roles role1,role2,... + + token validate -token TOKEN + token issue -id UUID + token revoke -jti JTI + + pgcreds get -id UUID + pgcreds set -id UUID -host HOST [-port PORT] -db DB -user USER -password PASS +`) +} diff --git a/cmd/mciassrv/main.go b/cmd/mciassrv/main.go new file mode 100644 index 0000000..d268e8f --- /dev/null +++ b/cmd/mciassrv/main.go @@ -0,0 +1,331 @@ +// Command mciassrv is the MCIAS authentication server. +// +// It reads a TOML configuration file, derives the master encryption key, +// loads or generates the Ed25519 signing key, opens the SQLite database, +// runs migrations, and starts an HTTPS listener. +// If [server] grpc_addr is set in the config, a gRPC/TLS listener is also +// started on that address. Both listeners share the same signing key, DB, +// and config. Graceful shutdown drains both within the configured window. +// +// Usage: +// +// mciassrv -config /etc/mcias/mcias.toml +package main + +import ( + "context" + "crypto/ed25519" + "crypto/tls" + "errors" + "flag" + "fmt" + "log/slog" + "net" + "net/http" + "os" + "os/signal" + "sync" + "syscall" + "time" + + "google.golang.org/grpc" + "google.golang.org/grpc/credentials" + + "git.wntrmute.dev/kyle/mcias/internal/config" + "git.wntrmute.dev/kyle/mcias/internal/crypto" + "git.wntrmute.dev/kyle/mcias/internal/db" + "git.wntrmute.dev/kyle/mcias/internal/grpcserver" + "git.wntrmute.dev/kyle/mcias/internal/server" +) + +func main() { + configPath := flag.String("config", "mcias.toml", "path to TOML configuration file") + flag.Parse() + + logger := slog.New(slog.NewTextHandler(os.Stderr, &slog.HandlerOptions{ + Level: slog.LevelInfo, + })) + + if err := run(*configPath, logger); err != nil { + logger.Error("fatal", "error", err) + os.Exit(1) + } +} + +func run(configPath string, logger *slog.Logger) error { + // Load and validate configuration. + cfg, err := config.Load(configPath) + if err != nil { + return fmt.Errorf("load config: %w", err) + } + logger.Info("configuration loaded", "listen_addr", cfg.Server.ListenAddr, "grpc_addr", cfg.Server.GRPCAddr) + + // Open and migrate the database first — we need it to load the master key salt. + database, err := db.Open(cfg.Database.Path) + if err != nil { + return fmt.Errorf("open database: %w", err) + } + defer func() { _ = database.Close() }() + + if err := db.Migrate(database); err != nil { + return fmt.Errorf("migrate database: %w", err) + } + logger.Info("database ready", "path", cfg.Database.Path) + + // Derive or load the master encryption key. + // Security: The master key encrypts TOTP secrets, Postgres passwords, and + // the signing key at rest. It is derived from a passphrase via Argon2id + // (or loaded directly from a key file). The KDF salt is stored in the DB + // for stability across restarts. The passphrase env var is cleared after use. + masterKey, err := loadMasterKey(cfg, database) + if err != nil { + return fmt.Errorf("load master key: %w", err) + } + defer func() { + // Zero the master key when done — reduces the window of exposure. + for i := range masterKey { + masterKey[i] = 0 + } + }() + + // Load or generate the Ed25519 signing key. + // Security: The private signing key is stored AES-256-GCM encrypted in the + // database. On first run it is generated and stored. The key is decrypted + // with the master key each startup. + privKey, pubKey, err := loadOrGenerateSigningKey(database, masterKey, logger) + if err != nil { + return fmt.Errorf("signing key: %w", err) + } + + // Configure TLS. We require TLS 1.2+ and prefer TLS 1.3. + // Security: HTTPS/gRPC-TLS is mandatory; no plaintext listener is provided. + // The same TLS certificate is used for both REST and gRPC listeners. + tlsCfg := &tls.Config{ + MinVersion: tls.VersionTLS12, + CurvePreferences: []tls.CurveID{ + tls.X25519, + tls.CurveP256, + }, + } + + // Build the REST handler. + restSrv := server.New(database, cfg, privKey, pubKey, masterKey, logger) + httpServer := &http.Server{ + Addr: cfg.Server.ListenAddr, + Handler: restSrv.Handler(), + TLSConfig: tlsCfg, + ReadTimeout: 30 * time.Second, + WriteTimeout: 30 * time.Second, + IdleTimeout: 120 * time.Second, + ReadHeaderTimeout: 5 * time.Second, + } + + // Build the gRPC server if grpc_addr is configured. + var grpcSrv *grpc.Server + var grpcListener net.Listener + if cfg.Server.GRPCAddr != "" { + // Load TLS credentials for gRPC using the same cert/key as REST. + // Security: TLS 1.2 minimum is enforced via tls.Config; no h2c is offered. + grpcTLSCreds, err := credentials.NewServerTLSFromFile(cfg.Server.TLSCert, cfg.Server.TLSKey) + if err != nil { + return fmt.Errorf("load gRPC TLS credentials: %w", err) + } + + grpcSrvImpl := grpcserver.New(database, cfg, privKey, pubKey, masterKey, logger) + grpcSrv = grpcSrvImpl.GRPCServer() + // Apply TLS to the gRPC server by wrapping options. + // We reconstruct the server with TLS credentials since GRPCServer() + // returns an already-built server; instead, build with creds directly. + // Re-create with TLS option. + grpcSrv = rebuildGRPCServerWithTLS(grpcSrvImpl, grpcTLSCreds) + + grpcListener, err = net.Listen("tcp", cfg.Server.GRPCAddr) + if err != nil { + return fmt.Errorf("gRPC listen: %w", err) + } + logger.Info("gRPC listener ready", "addr", cfg.Server.GRPCAddr) + } + + // Graceful shutdown on SIGINT/SIGTERM. + ctx, stop := signal.NotifyContext(context.Background(), os.Interrupt, syscall.SIGTERM) + defer stop() + + var wg sync.WaitGroup + errCh := make(chan error, 2) + + // Start REST listener. + wg.Add(1) + go func() { + defer wg.Done() + logger.Info("REST server starting", "addr", cfg.Server.ListenAddr) + if err := httpServer.ListenAndServeTLS(cfg.Server.TLSCert, cfg.Server.TLSKey); err != nil { + if !errors.Is(err, http.ErrServerClosed) { + errCh <- fmt.Errorf("REST server: %w", err) + } + } + }() + + // Start gRPC listener if configured. + if grpcSrv != nil && grpcListener != nil { + wg.Add(1) + go func() { + defer wg.Done() + logger.Info("gRPC server starting", "addr", cfg.Server.GRPCAddr) + if err := grpcSrv.Serve(grpcListener); err != nil { + errCh <- fmt.Errorf("gRPC server: %w", err) + } + }() + } + + // Wait for shutdown signal or a server error. + select { + case <-ctx.Done(): + logger.Info("shutdown signal received") + case err := <-errCh: + return err + } + + // Graceful drain: give servers up to 15s to finish in-flight requests. + shutdownCtx, cancel := context.WithTimeout(context.Background(), 15*time.Second) + defer cancel() + + if err := httpServer.Shutdown(shutdownCtx); err != nil { + logger.Error("REST shutdown error", "error", err) + } + if grpcSrv != nil { + grpcSrv.GracefulStop() + } + + wg.Wait() + + // Drain any remaining error from startup goroutines. + select { + case err := <-errCh: + return err + default: + } + return nil +} + +// rebuildGRPCServerWithTLS creates a new *grpc.Server with TLS credentials +// and re-registers all services from the implementation. +// This is needed because grpc.NewServer accepts credentials as an option at +// construction time, not after the fact. +func rebuildGRPCServerWithTLS(impl *grpcserver.Server, creds credentials.TransportCredentials) *grpc.Server { + return impl.GRPCServerWithCreds(creds) +} + +// loadMasterKey derives or loads the AES-256-GCM master key from the config. +// +// Key file mode: reads exactly 32 bytes from a file. +// +// Passphrase mode: reads the passphrase from the named environment variable, +// then immediately clears it from the environment. The Argon2id KDF salt is +// stored in the database on first run and retrieved on subsequent runs so that +// the same passphrase always yields the same master key. +// +// Security: The Argon2id parameters used by crypto.DeriveKey exceed OWASP 2023 +// minimums (time=3, memory=128MiB, threads=4). The salt is 32 random bytes. +func loadMasterKey(cfg *config.Config, database *db.DB) ([]byte, error) { + if cfg.MasterKey.KeyFile != "" { + // Key file mode: file must contain exactly 32 bytes (AES-256). + data, err := os.ReadFile(cfg.MasterKey.KeyFile) //nolint:gosec // G304: operator-supplied path + if err != nil { + return nil, fmt.Errorf("read key file: %w", err) + } + if len(data) != 32 { + return nil, fmt.Errorf("key file must be exactly 32 bytes, got %d", len(data)) + } + key := make([]byte, 32) + copy(key, data) + // Zero the file buffer before it can be GC'd. + for i := range data { + data[i] = 0 + } + return key, nil + } + + // Passphrase mode. + passphrase := os.Getenv(cfg.MasterKey.PassphraseEnv) + if passphrase == "" { + return nil, fmt.Errorf("environment variable %q is not set or empty", cfg.MasterKey.PassphraseEnv) + } + // Immediately unset the env var so child processes cannot read it. + _ = os.Unsetenv(cfg.MasterKey.PassphraseEnv) + + // Retrieve or create the KDF salt. + salt, err := database.ReadMasterKeySalt() + if errors.Is(err, db.ErrNotFound) { + // First run: generate and persist a new salt. + salt, err = crypto.NewSalt() + if err != nil { + return nil, fmt.Errorf("generate master key salt: %w", err) + } + if err := database.WriteMasterKeySalt(salt); err != nil { + return nil, fmt.Errorf("store master key salt: %w", err) + } + } else if err != nil { + return nil, fmt.Errorf("read master key salt: %w", err) + } + + key, err := crypto.DeriveKey(passphrase, salt) + if err != nil { + return nil, fmt.Errorf("derive master key: %w", err) + } + return key, nil +} + +// loadOrGenerateSigningKey loads the Ed25519 signing key from the database +// (decrypted with masterKey), or generates and stores a new one on first run. +// +// Security: The private key is stored AES-256-GCM encrypted. A fresh random +// nonce is used for each encryption. The plaintext key only exists in memory +// during the process lifetime. +func loadOrGenerateSigningKey(database *db.DB, masterKey []byte, logger *slog.Logger) (ed25519.PrivateKey, ed25519.PublicKey, error) { + // Try to load existing key. + enc, nonce, err := database.ReadServerConfig() + if err == nil && enc != nil && nonce != nil { + privPEM, err := crypto.OpenAESGCM(masterKey, nonce, enc) + if err != nil { + return nil, nil, fmt.Errorf("decrypt signing key: %w", err) + } + + priv, err := crypto.ParsePrivateKeyPEM(privPEM) + if err != nil { + return nil, nil, fmt.Errorf("parse signing key PEM: %w", err) + } + + // Security: ed25519.PrivateKey.Public() always returns ed25519.PublicKey, + // but we use the ok form to make the type assertion explicit and safe. + pub, ok := priv.Public().(ed25519.PublicKey) + if !ok { + return nil, nil, fmt.Errorf("signing key has unexpected public key type") + } + logger.Info("signing key loaded from database") + return priv, pub, nil + } + + // First run: generate and store a new signing key. + logger.Info("generating new Ed25519 signing key") + pub, priv, err := crypto.GenerateEd25519KeyPair() + if err != nil { + return nil, nil, fmt.Errorf("generate signing key: %w", err) + } + + privPEM, err := crypto.MarshalPrivateKeyPEM(priv) + if err != nil { + return nil, nil, fmt.Errorf("marshal signing key: %w", err) + } + + encKey, encNonce, err := crypto.SealAESGCM(masterKey, privPEM) + if err != nil { + return nil, nil, fmt.Errorf("encrypt signing key: %w", err) + } + + if err := database.WriteServerConfig(encKey, encNonce); err != nil { + return nil, nil, fmt.Errorf("store signing key: %w", err) + } + + logger.Info("signing key generated and stored") + return priv, pub, nil +} diff --git a/gen/mcias/v1/account.pb.go b/gen/mcias/v1/account.pb.go new file mode 100644 index 0000000..deee4db --- /dev/null +++ b/gen/mcias/v1/account.pb.go @@ -0,0 +1,983 @@ +// AccountService: account and role CRUD. All RPCs require admin role. +// CredentialService: Postgres credential management. + +// Code generated by protoc-gen-go. DO NOT EDIT. +// versions: +// protoc-gen-go v1.36.11 +// protoc v6.33.4 +// source: mcias/v1/account.proto + +package mciasv1 + +import ( + protoreflect "google.golang.org/protobuf/reflect/protoreflect" + protoimpl "google.golang.org/protobuf/runtime/protoimpl" + reflect "reflect" + sync "sync" + unsafe "unsafe" +) + +const ( + // Verify that this generated code is sufficiently up-to-date. + _ = protoimpl.EnforceVersion(20 - protoimpl.MinVersion) + // Verify that runtime/protoimpl is sufficiently up-to-date. + _ = protoimpl.EnforceVersion(protoimpl.MaxVersion - 20) +) + +// ListAccountsRequest carries no parameters. +type ListAccountsRequest struct { + state protoimpl.MessageState `protogen:"open.v1"` + unknownFields protoimpl.UnknownFields + sizeCache protoimpl.SizeCache +} + +func (x *ListAccountsRequest) Reset() { + *x = ListAccountsRequest{} + mi := &file_mcias_v1_account_proto_msgTypes[0] + ms := protoimpl.X.MessageStateOf(protoimpl.Pointer(x)) + ms.StoreMessageInfo(mi) +} + +func (x *ListAccountsRequest) String() string { + return protoimpl.X.MessageStringOf(x) +} + +func (*ListAccountsRequest) ProtoMessage() {} + +func (x *ListAccountsRequest) ProtoReflect() protoreflect.Message { + mi := &file_mcias_v1_account_proto_msgTypes[0] + if x != nil { + ms := protoimpl.X.MessageStateOf(protoimpl.Pointer(x)) + if ms.LoadMessageInfo() == nil { + ms.StoreMessageInfo(mi) + } + return ms + } + return mi.MessageOf(x) +} + +// Deprecated: Use ListAccountsRequest.ProtoReflect.Descriptor instead. +func (*ListAccountsRequest) Descriptor() ([]byte, []int) { + return file_mcias_v1_account_proto_rawDescGZIP(), []int{0} +} + +// ListAccountsResponse returns all accounts. Credential fields are absent. +type ListAccountsResponse struct { + state protoimpl.MessageState `protogen:"open.v1"` + Accounts []*Account `protobuf:"bytes,1,rep,name=accounts,proto3" json:"accounts,omitempty"` + unknownFields protoimpl.UnknownFields + sizeCache protoimpl.SizeCache +} + +func (x *ListAccountsResponse) Reset() { + *x = ListAccountsResponse{} + mi := &file_mcias_v1_account_proto_msgTypes[1] + ms := protoimpl.X.MessageStateOf(protoimpl.Pointer(x)) + ms.StoreMessageInfo(mi) +} + +func (x *ListAccountsResponse) String() string { + return protoimpl.X.MessageStringOf(x) +} + +func (*ListAccountsResponse) ProtoMessage() {} + +func (x *ListAccountsResponse) ProtoReflect() protoreflect.Message { + mi := &file_mcias_v1_account_proto_msgTypes[1] + if x != nil { + ms := protoimpl.X.MessageStateOf(protoimpl.Pointer(x)) + if ms.LoadMessageInfo() == nil { + ms.StoreMessageInfo(mi) + } + return ms + } + return mi.MessageOf(x) +} + +// Deprecated: Use ListAccountsResponse.ProtoReflect.Descriptor instead. +func (*ListAccountsResponse) Descriptor() ([]byte, []int) { + return file_mcias_v1_account_proto_rawDescGZIP(), []int{1} +} + +func (x *ListAccountsResponse) GetAccounts() []*Account { + if x != nil { + return x.Accounts + } + return nil +} + +// CreateAccountRequest specifies a new account to create. +type CreateAccountRequest struct { + state protoimpl.MessageState `protogen:"open.v1"` + Username string `protobuf:"bytes,1,opt,name=username,proto3" json:"username,omitempty"` + Password string `protobuf:"bytes,2,opt,name=password,proto3" json:"password,omitempty"` // required for human accounts; security: never logged + AccountType string `protobuf:"bytes,3,opt,name=account_type,json=accountType,proto3" json:"account_type,omitempty"` // "human" or "system" + unknownFields protoimpl.UnknownFields + sizeCache protoimpl.SizeCache +} + +func (x *CreateAccountRequest) Reset() { + *x = CreateAccountRequest{} + mi := &file_mcias_v1_account_proto_msgTypes[2] + ms := protoimpl.X.MessageStateOf(protoimpl.Pointer(x)) + ms.StoreMessageInfo(mi) +} + +func (x *CreateAccountRequest) String() string { + return protoimpl.X.MessageStringOf(x) +} + +func (*CreateAccountRequest) ProtoMessage() {} + +func (x *CreateAccountRequest) ProtoReflect() protoreflect.Message { + mi := &file_mcias_v1_account_proto_msgTypes[2] + if x != nil { + ms := protoimpl.X.MessageStateOf(protoimpl.Pointer(x)) + if ms.LoadMessageInfo() == nil { + ms.StoreMessageInfo(mi) + } + return ms + } + return mi.MessageOf(x) +} + +// Deprecated: Use CreateAccountRequest.ProtoReflect.Descriptor instead. +func (*CreateAccountRequest) Descriptor() ([]byte, []int) { + return file_mcias_v1_account_proto_rawDescGZIP(), []int{2} +} + +func (x *CreateAccountRequest) GetUsername() string { + if x != nil { + return x.Username + } + return "" +} + +func (x *CreateAccountRequest) GetPassword() string { + if x != nil { + return x.Password + } + return "" +} + +func (x *CreateAccountRequest) GetAccountType() string { + if x != nil { + return x.AccountType + } + return "" +} + +// CreateAccountResponse returns the created account record. +type CreateAccountResponse struct { + state protoimpl.MessageState `protogen:"open.v1"` + Account *Account `protobuf:"bytes,1,opt,name=account,proto3" json:"account,omitempty"` + unknownFields protoimpl.UnknownFields + sizeCache protoimpl.SizeCache +} + +func (x *CreateAccountResponse) Reset() { + *x = CreateAccountResponse{} + mi := &file_mcias_v1_account_proto_msgTypes[3] + ms := protoimpl.X.MessageStateOf(protoimpl.Pointer(x)) + ms.StoreMessageInfo(mi) +} + +func (x *CreateAccountResponse) String() string { + return protoimpl.X.MessageStringOf(x) +} + +func (*CreateAccountResponse) ProtoMessage() {} + +func (x *CreateAccountResponse) ProtoReflect() protoreflect.Message { + mi := &file_mcias_v1_account_proto_msgTypes[3] + if x != nil { + ms := protoimpl.X.MessageStateOf(protoimpl.Pointer(x)) + if ms.LoadMessageInfo() == nil { + ms.StoreMessageInfo(mi) + } + return ms + } + return mi.MessageOf(x) +} + +// Deprecated: Use CreateAccountResponse.ProtoReflect.Descriptor instead. +func (*CreateAccountResponse) Descriptor() ([]byte, []int) { + return file_mcias_v1_account_proto_rawDescGZIP(), []int{3} +} + +func (x *CreateAccountResponse) GetAccount() *Account { + if x != nil { + return x.Account + } + return nil +} + +// GetAccountRequest identifies an account by UUID. +type GetAccountRequest struct { + state protoimpl.MessageState `protogen:"open.v1"` + Id string `protobuf:"bytes,1,opt,name=id,proto3" json:"id,omitempty"` // UUID + unknownFields protoimpl.UnknownFields + sizeCache protoimpl.SizeCache +} + +func (x *GetAccountRequest) Reset() { + *x = GetAccountRequest{} + mi := &file_mcias_v1_account_proto_msgTypes[4] + ms := protoimpl.X.MessageStateOf(protoimpl.Pointer(x)) + ms.StoreMessageInfo(mi) +} + +func (x *GetAccountRequest) String() string { + return protoimpl.X.MessageStringOf(x) +} + +func (*GetAccountRequest) ProtoMessage() {} + +func (x *GetAccountRequest) ProtoReflect() protoreflect.Message { + mi := &file_mcias_v1_account_proto_msgTypes[4] + if x != nil { + ms := protoimpl.X.MessageStateOf(protoimpl.Pointer(x)) + if ms.LoadMessageInfo() == nil { + ms.StoreMessageInfo(mi) + } + return ms + } + return mi.MessageOf(x) +} + +// Deprecated: Use GetAccountRequest.ProtoReflect.Descriptor instead. +func (*GetAccountRequest) Descriptor() ([]byte, []int) { + return file_mcias_v1_account_proto_rawDescGZIP(), []int{4} +} + +func (x *GetAccountRequest) GetId() string { + if x != nil { + return x.Id + } + return "" +} + +// GetAccountResponse returns the account record. +type GetAccountResponse struct { + state protoimpl.MessageState `protogen:"open.v1"` + Account *Account `protobuf:"bytes,1,opt,name=account,proto3" json:"account,omitempty"` + unknownFields protoimpl.UnknownFields + sizeCache protoimpl.SizeCache +} + +func (x *GetAccountResponse) Reset() { + *x = GetAccountResponse{} + mi := &file_mcias_v1_account_proto_msgTypes[5] + ms := protoimpl.X.MessageStateOf(protoimpl.Pointer(x)) + ms.StoreMessageInfo(mi) +} + +func (x *GetAccountResponse) String() string { + return protoimpl.X.MessageStringOf(x) +} + +func (*GetAccountResponse) ProtoMessage() {} + +func (x *GetAccountResponse) ProtoReflect() protoreflect.Message { + mi := &file_mcias_v1_account_proto_msgTypes[5] + if x != nil { + ms := protoimpl.X.MessageStateOf(protoimpl.Pointer(x)) + if ms.LoadMessageInfo() == nil { + ms.StoreMessageInfo(mi) + } + return ms + } + return mi.MessageOf(x) +} + +// Deprecated: Use GetAccountResponse.ProtoReflect.Descriptor instead. +func (*GetAccountResponse) Descriptor() ([]byte, []int) { + return file_mcias_v1_account_proto_rawDescGZIP(), []int{5} +} + +func (x *GetAccountResponse) GetAccount() *Account { + if x != nil { + return x.Account + } + return nil +} + +// UpdateAccountRequest updates mutable fields. Only non-empty fields are applied. +type UpdateAccountRequest struct { + state protoimpl.MessageState `protogen:"open.v1"` + Id string `protobuf:"bytes,1,opt,name=id,proto3" json:"id,omitempty"` // UUID + Status string `protobuf:"bytes,2,opt,name=status,proto3" json:"status,omitempty"` // "active" or "inactive" (omit to leave unchanged) + unknownFields protoimpl.UnknownFields + sizeCache protoimpl.SizeCache +} + +func (x *UpdateAccountRequest) Reset() { + *x = UpdateAccountRequest{} + mi := &file_mcias_v1_account_proto_msgTypes[6] + ms := protoimpl.X.MessageStateOf(protoimpl.Pointer(x)) + ms.StoreMessageInfo(mi) +} + +func (x *UpdateAccountRequest) String() string { + return protoimpl.X.MessageStringOf(x) +} + +func (*UpdateAccountRequest) ProtoMessage() {} + +func (x *UpdateAccountRequest) ProtoReflect() protoreflect.Message { + mi := &file_mcias_v1_account_proto_msgTypes[6] + if x != nil { + ms := protoimpl.X.MessageStateOf(protoimpl.Pointer(x)) + if ms.LoadMessageInfo() == nil { + ms.StoreMessageInfo(mi) + } + return ms + } + return mi.MessageOf(x) +} + +// Deprecated: Use UpdateAccountRequest.ProtoReflect.Descriptor instead. +func (*UpdateAccountRequest) Descriptor() ([]byte, []int) { + return file_mcias_v1_account_proto_rawDescGZIP(), []int{6} +} + +func (x *UpdateAccountRequest) GetId() string { + if x != nil { + return x.Id + } + return "" +} + +func (x *UpdateAccountRequest) GetStatus() string { + if x != nil { + return x.Status + } + return "" +} + +// UpdateAccountResponse confirms the update. +type UpdateAccountResponse struct { + state protoimpl.MessageState `protogen:"open.v1"` + unknownFields protoimpl.UnknownFields + sizeCache protoimpl.SizeCache +} + +func (x *UpdateAccountResponse) Reset() { + *x = UpdateAccountResponse{} + mi := &file_mcias_v1_account_proto_msgTypes[7] + ms := protoimpl.X.MessageStateOf(protoimpl.Pointer(x)) + ms.StoreMessageInfo(mi) +} + +func (x *UpdateAccountResponse) String() string { + return protoimpl.X.MessageStringOf(x) +} + +func (*UpdateAccountResponse) ProtoMessage() {} + +func (x *UpdateAccountResponse) ProtoReflect() protoreflect.Message { + mi := &file_mcias_v1_account_proto_msgTypes[7] + if x != nil { + ms := protoimpl.X.MessageStateOf(protoimpl.Pointer(x)) + if ms.LoadMessageInfo() == nil { + ms.StoreMessageInfo(mi) + } + return ms + } + return mi.MessageOf(x) +} + +// Deprecated: Use UpdateAccountResponse.ProtoReflect.Descriptor instead. +func (*UpdateAccountResponse) Descriptor() ([]byte, []int) { + return file_mcias_v1_account_proto_rawDescGZIP(), []int{7} +} + +// DeleteAccountRequest soft-deletes an account and revokes its tokens. +type DeleteAccountRequest struct { + state protoimpl.MessageState `protogen:"open.v1"` + Id string `protobuf:"bytes,1,opt,name=id,proto3" json:"id,omitempty"` // UUID + unknownFields protoimpl.UnknownFields + sizeCache protoimpl.SizeCache +} + +func (x *DeleteAccountRequest) Reset() { + *x = DeleteAccountRequest{} + mi := &file_mcias_v1_account_proto_msgTypes[8] + ms := protoimpl.X.MessageStateOf(protoimpl.Pointer(x)) + ms.StoreMessageInfo(mi) +} + +func (x *DeleteAccountRequest) String() string { + return protoimpl.X.MessageStringOf(x) +} + +func (*DeleteAccountRequest) ProtoMessage() {} + +func (x *DeleteAccountRequest) ProtoReflect() protoreflect.Message { + mi := &file_mcias_v1_account_proto_msgTypes[8] + if x != nil { + ms := protoimpl.X.MessageStateOf(protoimpl.Pointer(x)) + if ms.LoadMessageInfo() == nil { + ms.StoreMessageInfo(mi) + } + return ms + } + return mi.MessageOf(x) +} + +// Deprecated: Use DeleteAccountRequest.ProtoReflect.Descriptor instead. +func (*DeleteAccountRequest) Descriptor() ([]byte, []int) { + return file_mcias_v1_account_proto_rawDescGZIP(), []int{8} +} + +func (x *DeleteAccountRequest) GetId() string { + if x != nil { + return x.Id + } + return "" +} + +// DeleteAccountResponse confirms deletion. +type DeleteAccountResponse struct { + state protoimpl.MessageState `protogen:"open.v1"` + unknownFields protoimpl.UnknownFields + sizeCache protoimpl.SizeCache +} + +func (x *DeleteAccountResponse) Reset() { + *x = DeleteAccountResponse{} + mi := &file_mcias_v1_account_proto_msgTypes[9] + ms := protoimpl.X.MessageStateOf(protoimpl.Pointer(x)) + ms.StoreMessageInfo(mi) +} + +func (x *DeleteAccountResponse) String() string { + return protoimpl.X.MessageStringOf(x) +} + +func (*DeleteAccountResponse) ProtoMessage() {} + +func (x *DeleteAccountResponse) ProtoReflect() protoreflect.Message { + mi := &file_mcias_v1_account_proto_msgTypes[9] + if x != nil { + ms := protoimpl.X.MessageStateOf(protoimpl.Pointer(x)) + if ms.LoadMessageInfo() == nil { + ms.StoreMessageInfo(mi) + } + return ms + } + return mi.MessageOf(x) +} + +// Deprecated: Use DeleteAccountResponse.ProtoReflect.Descriptor instead. +func (*DeleteAccountResponse) Descriptor() ([]byte, []int) { + return file_mcias_v1_account_proto_rawDescGZIP(), []int{9} +} + +// GetRolesRequest identifies an account by UUID. +type GetRolesRequest struct { + state protoimpl.MessageState `protogen:"open.v1"` + Id string `protobuf:"bytes,1,opt,name=id,proto3" json:"id,omitempty"` // UUID + unknownFields protoimpl.UnknownFields + sizeCache protoimpl.SizeCache +} + +func (x *GetRolesRequest) Reset() { + *x = GetRolesRequest{} + mi := &file_mcias_v1_account_proto_msgTypes[10] + ms := protoimpl.X.MessageStateOf(protoimpl.Pointer(x)) + ms.StoreMessageInfo(mi) +} + +func (x *GetRolesRequest) String() string { + return protoimpl.X.MessageStringOf(x) +} + +func (*GetRolesRequest) ProtoMessage() {} + +func (x *GetRolesRequest) ProtoReflect() protoreflect.Message { + mi := &file_mcias_v1_account_proto_msgTypes[10] + if x != nil { + ms := protoimpl.X.MessageStateOf(protoimpl.Pointer(x)) + if ms.LoadMessageInfo() == nil { + ms.StoreMessageInfo(mi) + } + return ms + } + return mi.MessageOf(x) +} + +// Deprecated: Use GetRolesRequest.ProtoReflect.Descriptor instead. +func (*GetRolesRequest) Descriptor() ([]byte, []int) { + return file_mcias_v1_account_proto_rawDescGZIP(), []int{10} +} + +func (x *GetRolesRequest) GetId() string { + if x != nil { + return x.Id + } + return "" +} + +// GetRolesResponse lists the current roles. +type GetRolesResponse struct { + state protoimpl.MessageState `protogen:"open.v1"` + Roles []string `protobuf:"bytes,1,rep,name=roles,proto3" json:"roles,omitempty"` + unknownFields protoimpl.UnknownFields + sizeCache protoimpl.SizeCache +} + +func (x *GetRolesResponse) Reset() { + *x = GetRolesResponse{} + mi := &file_mcias_v1_account_proto_msgTypes[11] + ms := protoimpl.X.MessageStateOf(protoimpl.Pointer(x)) + ms.StoreMessageInfo(mi) +} + +func (x *GetRolesResponse) String() string { + return protoimpl.X.MessageStringOf(x) +} + +func (*GetRolesResponse) ProtoMessage() {} + +func (x *GetRolesResponse) ProtoReflect() protoreflect.Message { + mi := &file_mcias_v1_account_proto_msgTypes[11] + if x != nil { + ms := protoimpl.X.MessageStateOf(protoimpl.Pointer(x)) + if ms.LoadMessageInfo() == nil { + ms.StoreMessageInfo(mi) + } + return ms + } + return mi.MessageOf(x) +} + +// Deprecated: Use GetRolesResponse.ProtoReflect.Descriptor instead. +func (*GetRolesResponse) Descriptor() ([]byte, []int) { + return file_mcias_v1_account_proto_rawDescGZIP(), []int{11} +} + +func (x *GetRolesResponse) GetRoles() []string { + if x != nil { + return x.Roles + } + return nil +} + +// SetRolesRequest replaces the role set for an account. +type SetRolesRequest struct { + state protoimpl.MessageState `protogen:"open.v1"` + Id string `protobuf:"bytes,1,opt,name=id,proto3" json:"id,omitempty"` // UUID + Roles []string `protobuf:"bytes,2,rep,name=roles,proto3" json:"roles,omitempty"` + unknownFields protoimpl.UnknownFields + sizeCache protoimpl.SizeCache +} + +func (x *SetRolesRequest) Reset() { + *x = SetRolesRequest{} + mi := &file_mcias_v1_account_proto_msgTypes[12] + ms := protoimpl.X.MessageStateOf(protoimpl.Pointer(x)) + ms.StoreMessageInfo(mi) +} + +func (x *SetRolesRequest) String() string { + return protoimpl.X.MessageStringOf(x) +} + +func (*SetRolesRequest) ProtoMessage() {} + +func (x *SetRolesRequest) ProtoReflect() protoreflect.Message { + mi := &file_mcias_v1_account_proto_msgTypes[12] + if x != nil { + ms := protoimpl.X.MessageStateOf(protoimpl.Pointer(x)) + if ms.LoadMessageInfo() == nil { + ms.StoreMessageInfo(mi) + } + return ms + } + return mi.MessageOf(x) +} + +// Deprecated: Use SetRolesRequest.ProtoReflect.Descriptor instead. +func (*SetRolesRequest) Descriptor() ([]byte, []int) { + return file_mcias_v1_account_proto_rawDescGZIP(), []int{12} +} + +func (x *SetRolesRequest) GetId() string { + if x != nil { + return x.Id + } + return "" +} + +func (x *SetRolesRequest) GetRoles() []string { + if x != nil { + return x.Roles + } + return nil +} + +// SetRolesResponse confirms the update. +type SetRolesResponse struct { + state protoimpl.MessageState `protogen:"open.v1"` + unknownFields protoimpl.UnknownFields + sizeCache protoimpl.SizeCache +} + +func (x *SetRolesResponse) Reset() { + *x = SetRolesResponse{} + mi := &file_mcias_v1_account_proto_msgTypes[13] + ms := protoimpl.X.MessageStateOf(protoimpl.Pointer(x)) + ms.StoreMessageInfo(mi) +} + +func (x *SetRolesResponse) String() string { + return protoimpl.X.MessageStringOf(x) +} + +func (*SetRolesResponse) ProtoMessage() {} + +func (x *SetRolesResponse) ProtoReflect() protoreflect.Message { + mi := &file_mcias_v1_account_proto_msgTypes[13] + if x != nil { + ms := protoimpl.X.MessageStateOf(protoimpl.Pointer(x)) + if ms.LoadMessageInfo() == nil { + ms.StoreMessageInfo(mi) + } + return ms + } + return mi.MessageOf(x) +} + +// Deprecated: Use SetRolesResponse.ProtoReflect.Descriptor instead. +func (*SetRolesResponse) Descriptor() ([]byte, []int) { + return file_mcias_v1_account_proto_rawDescGZIP(), []int{13} +} + +// GetPGCredsRequest identifies an account by UUID. +type GetPGCredsRequest struct { + state protoimpl.MessageState `protogen:"open.v1"` + Id string `protobuf:"bytes,1,opt,name=id,proto3" json:"id,omitempty"` // UUID + unknownFields protoimpl.UnknownFields + sizeCache protoimpl.SizeCache +} + +func (x *GetPGCredsRequest) Reset() { + *x = GetPGCredsRequest{} + mi := &file_mcias_v1_account_proto_msgTypes[14] + ms := protoimpl.X.MessageStateOf(protoimpl.Pointer(x)) + ms.StoreMessageInfo(mi) +} + +func (x *GetPGCredsRequest) String() string { + return protoimpl.X.MessageStringOf(x) +} + +func (*GetPGCredsRequest) ProtoMessage() {} + +func (x *GetPGCredsRequest) ProtoReflect() protoreflect.Message { + mi := &file_mcias_v1_account_proto_msgTypes[14] + if x != nil { + ms := protoimpl.X.MessageStateOf(protoimpl.Pointer(x)) + if ms.LoadMessageInfo() == nil { + ms.StoreMessageInfo(mi) + } + return ms + } + return mi.MessageOf(x) +} + +// Deprecated: Use GetPGCredsRequest.ProtoReflect.Descriptor instead. +func (*GetPGCredsRequest) Descriptor() ([]byte, []int) { + return file_mcias_v1_account_proto_rawDescGZIP(), []int{14} +} + +func (x *GetPGCredsRequest) GetId() string { + if x != nil { + return x.Id + } + return "" +} + +// GetPGCredsResponse returns decrypted Postgres credentials. +// Security: password is present only in this response; never in list output. +type GetPGCredsResponse struct { + state protoimpl.MessageState `protogen:"open.v1"` + Creds *PGCreds `protobuf:"bytes,1,opt,name=creds,proto3" json:"creds,omitempty"` + unknownFields protoimpl.UnknownFields + sizeCache protoimpl.SizeCache +} + +func (x *GetPGCredsResponse) Reset() { + *x = GetPGCredsResponse{} + mi := &file_mcias_v1_account_proto_msgTypes[15] + ms := protoimpl.X.MessageStateOf(protoimpl.Pointer(x)) + ms.StoreMessageInfo(mi) +} + +func (x *GetPGCredsResponse) String() string { + return protoimpl.X.MessageStringOf(x) +} + +func (*GetPGCredsResponse) ProtoMessage() {} + +func (x *GetPGCredsResponse) ProtoReflect() protoreflect.Message { + mi := &file_mcias_v1_account_proto_msgTypes[15] + if x != nil { + ms := protoimpl.X.MessageStateOf(protoimpl.Pointer(x)) + if ms.LoadMessageInfo() == nil { + ms.StoreMessageInfo(mi) + } + return ms + } + return mi.MessageOf(x) +} + +// Deprecated: Use GetPGCredsResponse.ProtoReflect.Descriptor instead. +func (*GetPGCredsResponse) Descriptor() ([]byte, []int) { + return file_mcias_v1_account_proto_rawDescGZIP(), []int{15} +} + +func (x *GetPGCredsResponse) GetCreds() *PGCreds { + if x != nil { + return x.Creds + } + return nil +} + +// SetPGCredsRequest stores Postgres credentials for an account. +type SetPGCredsRequest struct { + state protoimpl.MessageState `protogen:"open.v1"` + Id string `protobuf:"bytes,1,opt,name=id,proto3" json:"id,omitempty"` // UUID + Creds *PGCreds `protobuf:"bytes,2,opt,name=creds,proto3" json:"creds,omitempty"` + unknownFields protoimpl.UnknownFields + sizeCache protoimpl.SizeCache +} + +func (x *SetPGCredsRequest) Reset() { + *x = SetPGCredsRequest{} + mi := &file_mcias_v1_account_proto_msgTypes[16] + ms := protoimpl.X.MessageStateOf(protoimpl.Pointer(x)) + ms.StoreMessageInfo(mi) +} + +func (x *SetPGCredsRequest) String() string { + return protoimpl.X.MessageStringOf(x) +} + +func (*SetPGCredsRequest) ProtoMessage() {} + +func (x *SetPGCredsRequest) ProtoReflect() protoreflect.Message { + mi := &file_mcias_v1_account_proto_msgTypes[16] + if x != nil { + ms := protoimpl.X.MessageStateOf(protoimpl.Pointer(x)) + if ms.LoadMessageInfo() == nil { + ms.StoreMessageInfo(mi) + } + return ms + } + return mi.MessageOf(x) +} + +// Deprecated: Use SetPGCredsRequest.ProtoReflect.Descriptor instead. +func (*SetPGCredsRequest) Descriptor() ([]byte, []int) { + return file_mcias_v1_account_proto_rawDescGZIP(), []int{16} +} + +func (x *SetPGCredsRequest) GetId() string { + if x != nil { + return x.Id + } + return "" +} + +func (x *SetPGCredsRequest) GetCreds() *PGCreds { + if x != nil { + return x.Creds + } + return nil +} + +// SetPGCredsResponse confirms the update. +type SetPGCredsResponse struct { + state protoimpl.MessageState `protogen:"open.v1"` + unknownFields protoimpl.UnknownFields + sizeCache protoimpl.SizeCache +} + +func (x *SetPGCredsResponse) Reset() { + *x = SetPGCredsResponse{} + mi := &file_mcias_v1_account_proto_msgTypes[17] + ms := protoimpl.X.MessageStateOf(protoimpl.Pointer(x)) + ms.StoreMessageInfo(mi) +} + +func (x *SetPGCredsResponse) String() string { + return protoimpl.X.MessageStringOf(x) +} + +func (*SetPGCredsResponse) ProtoMessage() {} + +func (x *SetPGCredsResponse) ProtoReflect() protoreflect.Message { + mi := &file_mcias_v1_account_proto_msgTypes[17] + if x != nil { + ms := protoimpl.X.MessageStateOf(protoimpl.Pointer(x)) + if ms.LoadMessageInfo() == nil { + ms.StoreMessageInfo(mi) + } + return ms + } + return mi.MessageOf(x) +} + +// Deprecated: Use SetPGCredsResponse.ProtoReflect.Descriptor instead. +func (*SetPGCredsResponse) Descriptor() ([]byte, []int) { + return file_mcias_v1_account_proto_rawDescGZIP(), []int{17} +} + +var File_mcias_v1_account_proto protoreflect.FileDescriptor + +const file_mcias_v1_account_proto_rawDesc = "" + + "\n" + + "\x16mcias/v1/account.proto\x12\bmcias.v1\x1a\x15mcias/v1/common.proto\"\x15\n" + + "\x13ListAccountsRequest\"E\n" + + "\x14ListAccountsResponse\x12-\n" + + "\baccounts\x18\x01 \x03(\v2\x11.mcias.v1.AccountR\baccounts\"q\n" + + "\x14CreateAccountRequest\x12\x1a\n" + + "\busername\x18\x01 \x01(\tR\busername\x12\x1a\n" + + "\bpassword\x18\x02 \x01(\tR\bpassword\x12!\n" + + "\faccount_type\x18\x03 \x01(\tR\vaccountType\"D\n" + + "\x15CreateAccountResponse\x12+\n" + + "\aaccount\x18\x01 \x01(\v2\x11.mcias.v1.AccountR\aaccount\"#\n" + + "\x11GetAccountRequest\x12\x0e\n" + + "\x02id\x18\x01 \x01(\tR\x02id\"A\n" + + "\x12GetAccountResponse\x12+\n" + + "\aaccount\x18\x01 \x01(\v2\x11.mcias.v1.AccountR\aaccount\">\n" + + "\x14UpdateAccountRequest\x12\x0e\n" + + "\x02id\x18\x01 \x01(\tR\x02id\x12\x16\n" + + "\x06status\x18\x02 \x01(\tR\x06status\"\x17\n" + + "\x15UpdateAccountResponse\"&\n" + + "\x14DeleteAccountRequest\x12\x0e\n" + + "\x02id\x18\x01 \x01(\tR\x02id\"\x17\n" + + "\x15DeleteAccountResponse\"!\n" + + "\x0fGetRolesRequest\x12\x0e\n" + + "\x02id\x18\x01 \x01(\tR\x02id\"(\n" + + "\x10GetRolesResponse\x12\x14\n" + + "\x05roles\x18\x01 \x03(\tR\x05roles\"7\n" + + "\x0fSetRolesRequest\x12\x0e\n" + + "\x02id\x18\x01 \x01(\tR\x02id\x12\x14\n" + + "\x05roles\x18\x02 \x03(\tR\x05roles\"\x12\n" + + "\x10SetRolesResponse\"#\n" + + "\x11GetPGCredsRequest\x12\x0e\n" + + "\x02id\x18\x01 \x01(\tR\x02id\"=\n" + + "\x12GetPGCredsResponse\x12'\n" + + "\x05creds\x18\x01 \x01(\v2\x11.mcias.v1.PGCredsR\x05creds\"L\n" + + "\x11SetPGCredsRequest\x12\x0e\n" + + "\x02id\x18\x01 \x01(\tR\x02id\x12'\n" + + "\x05creds\x18\x02 \x01(\v2\x11.mcias.v1.PGCredsR\x05creds\"\x14\n" + + "\x12SetPGCredsResponse2\xa4\x04\n" + + "\x0eAccountService\x12M\n" + + "\fListAccounts\x12\x1d.mcias.v1.ListAccountsRequest\x1a\x1e.mcias.v1.ListAccountsResponse\x12P\n" + + "\rCreateAccount\x12\x1e.mcias.v1.CreateAccountRequest\x1a\x1f.mcias.v1.CreateAccountResponse\x12G\n" + + "\n" + + "GetAccount\x12\x1b.mcias.v1.GetAccountRequest\x1a\x1c.mcias.v1.GetAccountResponse\x12P\n" + + "\rUpdateAccount\x12\x1e.mcias.v1.UpdateAccountRequest\x1a\x1f.mcias.v1.UpdateAccountResponse\x12P\n" + + "\rDeleteAccount\x12\x1e.mcias.v1.DeleteAccountRequest\x1a\x1f.mcias.v1.DeleteAccountResponse\x12A\n" + + "\bGetRoles\x12\x19.mcias.v1.GetRolesRequest\x1a\x1a.mcias.v1.GetRolesResponse\x12A\n" + + "\bSetRoles\x12\x19.mcias.v1.SetRolesRequest\x1a\x1a.mcias.v1.SetRolesResponse2\xa5\x01\n" + + "\x11CredentialService\x12G\n" + + "\n" + + "GetPGCreds\x12\x1b.mcias.v1.GetPGCredsRequest\x1a\x1c.mcias.v1.GetPGCredsResponse\x12G\n" + + "\n" + + "SetPGCreds\x12\x1b.mcias.v1.SetPGCredsRequest\x1a\x1c.mcias.v1.SetPGCredsResponseB2Z0git.wntrmute.dev/kyle/mcias/gen/mcias/v1;mciasv1b\x06proto3" + +var ( + file_mcias_v1_account_proto_rawDescOnce sync.Once + file_mcias_v1_account_proto_rawDescData []byte +) + +func file_mcias_v1_account_proto_rawDescGZIP() []byte { + file_mcias_v1_account_proto_rawDescOnce.Do(func() { + file_mcias_v1_account_proto_rawDescData = protoimpl.X.CompressGZIP(unsafe.Slice(unsafe.StringData(file_mcias_v1_account_proto_rawDesc), len(file_mcias_v1_account_proto_rawDesc))) + }) + return file_mcias_v1_account_proto_rawDescData +} + +var file_mcias_v1_account_proto_msgTypes = make([]protoimpl.MessageInfo, 18) +var file_mcias_v1_account_proto_goTypes = []any{ + (*ListAccountsRequest)(nil), // 0: mcias.v1.ListAccountsRequest + (*ListAccountsResponse)(nil), // 1: mcias.v1.ListAccountsResponse + (*CreateAccountRequest)(nil), // 2: mcias.v1.CreateAccountRequest + (*CreateAccountResponse)(nil), // 3: mcias.v1.CreateAccountResponse + (*GetAccountRequest)(nil), // 4: mcias.v1.GetAccountRequest + (*GetAccountResponse)(nil), // 5: mcias.v1.GetAccountResponse + (*UpdateAccountRequest)(nil), // 6: mcias.v1.UpdateAccountRequest + (*UpdateAccountResponse)(nil), // 7: mcias.v1.UpdateAccountResponse + (*DeleteAccountRequest)(nil), // 8: mcias.v1.DeleteAccountRequest + (*DeleteAccountResponse)(nil), // 9: mcias.v1.DeleteAccountResponse + (*GetRolesRequest)(nil), // 10: mcias.v1.GetRolesRequest + (*GetRolesResponse)(nil), // 11: mcias.v1.GetRolesResponse + (*SetRolesRequest)(nil), // 12: mcias.v1.SetRolesRequest + (*SetRolesResponse)(nil), // 13: mcias.v1.SetRolesResponse + (*GetPGCredsRequest)(nil), // 14: mcias.v1.GetPGCredsRequest + (*GetPGCredsResponse)(nil), // 15: mcias.v1.GetPGCredsResponse + (*SetPGCredsRequest)(nil), // 16: mcias.v1.SetPGCredsRequest + (*SetPGCredsResponse)(nil), // 17: mcias.v1.SetPGCredsResponse + (*Account)(nil), // 18: mcias.v1.Account + (*PGCreds)(nil), // 19: mcias.v1.PGCreds +} +var file_mcias_v1_account_proto_depIdxs = []int32{ + 18, // 0: mcias.v1.ListAccountsResponse.accounts:type_name -> mcias.v1.Account + 18, // 1: mcias.v1.CreateAccountResponse.account:type_name -> mcias.v1.Account + 18, // 2: mcias.v1.GetAccountResponse.account:type_name -> mcias.v1.Account + 19, // 3: mcias.v1.GetPGCredsResponse.creds:type_name -> mcias.v1.PGCreds + 19, // 4: mcias.v1.SetPGCredsRequest.creds:type_name -> mcias.v1.PGCreds + 0, // 5: mcias.v1.AccountService.ListAccounts:input_type -> mcias.v1.ListAccountsRequest + 2, // 6: mcias.v1.AccountService.CreateAccount:input_type -> mcias.v1.CreateAccountRequest + 4, // 7: mcias.v1.AccountService.GetAccount:input_type -> mcias.v1.GetAccountRequest + 6, // 8: mcias.v1.AccountService.UpdateAccount:input_type -> mcias.v1.UpdateAccountRequest + 8, // 9: mcias.v1.AccountService.DeleteAccount:input_type -> mcias.v1.DeleteAccountRequest + 10, // 10: mcias.v1.AccountService.GetRoles:input_type -> mcias.v1.GetRolesRequest + 12, // 11: mcias.v1.AccountService.SetRoles:input_type -> mcias.v1.SetRolesRequest + 14, // 12: mcias.v1.CredentialService.GetPGCreds:input_type -> mcias.v1.GetPGCredsRequest + 16, // 13: mcias.v1.CredentialService.SetPGCreds:input_type -> mcias.v1.SetPGCredsRequest + 1, // 14: mcias.v1.AccountService.ListAccounts:output_type -> mcias.v1.ListAccountsResponse + 3, // 15: mcias.v1.AccountService.CreateAccount:output_type -> mcias.v1.CreateAccountResponse + 5, // 16: mcias.v1.AccountService.GetAccount:output_type -> mcias.v1.GetAccountResponse + 7, // 17: mcias.v1.AccountService.UpdateAccount:output_type -> mcias.v1.UpdateAccountResponse + 9, // 18: mcias.v1.AccountService.DeleteAccount:output_type -> mcias.v1.DeleteAccountResponse + 11, // 19: mcias.v1.AccountService.GetRoles:output_type -> mcias.v1.GetRolesResponse + 13, // 20: mcias.v1.AccountService.SetRoles:output_type -> mcias.v1.SetRolesResponse + 15, // 21: mcias.v1.CredentialService.GetPGCreds:output_type -> mcias.v1.GetPGCredsResponse + 17, // 22: mcias.v1.CredentialService.SetPGCreds:output_type -> mcias.v1.SetPGCredsResponse + 14, // [14:23] is the sub-list for method output_type + 5, // [5:14] is the sub-list for method input_type + 5, // [5:5] is the sub-list for extension type_name + 5, // [5:5] is the sub-list for extension extendee + 0, // [0:5] is the sub-list for field type_name +} + +func init() { file_mcias_v1_account_proto_init() } +func file_mcias_v1_account_proto_init() { + if File_mcias_v1_account_proto != nil { + return + } + file_mcias_v1_common_proto_init() + type x struct{} + out := protoimpl.TypeBuilder{ + File: protoimpl.DescBuilder{ + GoPackagePath: reflect.TypeOf(x{}).PkgPath(), + RawDescriptor: unsafe.Slice(unsafe.StringData(file_mcias_v1_account_proto_rawDesc), len(file_mcias_v1_account_proto_rawDesc)), + NumEnums: 0, + NumMessages: 18, + NumExtensions: 0, + NumServices: 2, + }, + GoTypes: file_mcias_v1_account_proto_goTypes, + DependencyIndexes: file_mcias_v1_account_proto_depIdxs, + MessageInfos: file_mcias_v1_account_proto_msgTypes, + }.Build() + File_mcias_v1_account_proto = out.File + file_mcias_v1_account_proto_goTypes = nil + file_mcias_v1_account_proto_depIdxs = nil +} diff --git a/gen/mcias/v1/account_grpc.pb.go b/gen/mcias/v1/account_grpc.pb.go new file mode 100644 index 0000000..99a8b0f --- /dev/null +++ b/gen/mcias/v1/account_grpc.pb.go @@ -0,0 +1,502 @@ +// AccountService: account and role CRUD. All RPCs require admin role. +// CredentialService: Postgres credential management. + +// Code generated by protoc-gen-go-grpc. DO NOT EDIT. +// versions: +// - protoc-gen-go-grpc v1.6.1 +// - protoc v6.33.4 +// source: mcias/v1/account.proto + +package mciasv1 + +import ( + context "context" + grpc "google.golang.org/grpc" + codes "google.golang.org/grpc/codes" + status "google.golang.org/grpc/status" +) + +// This is a compile-time assertion to ensure that this generated file +// is compatible with the grpc package it is being compiled against. +// Requires gRPC-Go v1.64.0 or later. +const _ = grpc.SupportPackageIsVersion9 + +const ( + AccountService_ListAccounts_FullMethodName = "/mcias.v1.AccountService/ListAccounts" + AccountService_CreateAccount_FullMethodName = "/mcias.v1.AccountService/CreateAccount" + AccountService_GetAccount_FullMethodName = "/mcias.v1.AccountService/GetAccount" + AccountService_UpdateAccount_FullMethodName = "/mcias.v1.AccountService/UpdateAccount" + AccountService_DeleteAccount_FullMethodName = "/mcias.v1.AccountService/DeleteAccount" + AccountService_GetRoles_FullMethodName = "/mcias.v1.AccountService/GetRoles" + AccountService_SetRoles_FullMethodName = "/mcias.v1.AccountService/SetRoles" +) + +// AccountServiceClient is the client API for AccountService service. +// +// For semantics around ctx use and closing/ending streaming RPCs, please refer to https://pkg.go.dev/google.golang.org/grpc/?tab=doc#ClientConn.NewStream. +// +// AccountService manages accounts and roles. All RPCs require admin role. +type AccountServiceClient interface { + ListAccounts(ctx context.Context, in *ListAccountsRequest, opts ...grpc.CallOption) (*ListAccountsResponse, error) + CreateAccount(ctx context.Context, in *CreateAccountRequest, opts ...grpc.CallOption) (*CreateAccountResponse, error) + GetAccount(ctx context.Context, in *GetAccountRequest, opts ...grpc.CallOption) (*GetAccountResponse, error) + UpdateAccount(ctx context.Context, in *UpdateAccountRequest, opts ...grpc.CallOption) (*UpdateAccountResponse, error) + DeleteAccount(ctx context.Context, in *DeleteAccountRequest, opts ...grpc.CallOption) (*DeleteAccountResponse, error) + GetRoles(ctx context.Context, in *GetRolesRequest, opts ...grpc.CallOption) (*GetRolesResponse, error) + SetRoles(ctx context.Context, in *SetRolesRequest, opts ...grpc.CallOption) (*SetRolesResponse, error) +} + +type accountServiceClient struct { + cc grpc.ClientConnInterface +} + +func NewAccountServiceClient(cc grpc.ClientConnInterface) AccountServiceClient { + return &accountServiceClient{cc} +} + +func (c *accountServiceClient) ListAccounts(ctx context.Context, in *ListAccountsRequest, opts ...grpc.CallOption) (*ListAccountsResponse, error) { + cOpts := append([]grpc.CallOption{grpc.StaticMethod()}, opts...) + out := new(ListAccountsResponse) + err := c.cc.Invoke(ctx, AccountService_ListAccounts_FullMethodName, in, out, cOpts...) + if err != nil { + return nil, err + } + return out, nil +} + +func (c *accountServiceClient) CreateAccount(ctx context.Context, in *CreateAccountRequest, opts ...grpc.CallOption) (*CreateAccountResponse, error) { + cOpts := append([]grpc.CallOption{grpc.StaticMethod()}, opts...) + out := new(CreateAccountResponse) + err := c.cc.Invoke(ctx, AccountService_CreateAccount_FullMethodName, in, out, cOpts...) + if err != nil { + return nil, err + } + return out, nil +} + +func (c *accountServiceClient) GetAccount(ctx context.Context, in *GetAccountRequest, opts ...grpc.CallOption) (*GetAccountResponse, error) { + cOpts := append([]grpc.CallOption{grpc.StaticMethod()}, opts...) + out := new(GetAccountResponse) + err := c.cc.Invoke(ctx, AccountService_GetAccount_FullMethodName, in, out, cOpts...) + if err != nil { + return nil, err + } + return out, nil +} + +func (c *accountServiceClient) UpdateAccount(ctx context.Context, in *UpdateAccountRequest, opts ...grpc.CallOption) (*UpdateAccountResponse, error) { + cOpts := append([]grpc.CallOption{grpc.StaticMethod()}, opts...) + out := new(UpdateAccountResponse) + err := c.cc.Invoke(ctx, AccountService_UpdateAccount_FullMethodName, in, out, cOpts...) + if err != nil { + return nil, err + } + return out, nil +} + +func (c *accountServiceClient) DeleteAccount(ctx context.Context, in *DeleteAccountRequest, opts ...grpc.CallOption) (*DeleteAccountResponse, error) { + cOpts := append([]grpc.CallOption{grpc.StaticMethod()}, opts...) + out := new(DeleteAccountResponse) + err := c.cc.Invoke(ctx, AccountService_DeleteAccount_FullMethodName, in, out, cOpts...) + if err != nil { + return nil, err + } + return out, nil +} + +func (c *accountServiceClient) GetRoles(ctx context.Context, in *GetRolesRequest, opts ...grpc.CallOption) (*GetRolesResponse, error) { + cOpts := append([]grpc.CallOption{grpc.StaticMethod()}, opts...) + out := new(GetRolesResponse) + err := c.cc.Invoke(ctx, AccountService_GetRoles_FullMethodName, in, out, cOpts...) + if err != nil { + return nil, err + } + return out, nil +} + +func (c *accountServiceClient) SetRoles(ctx context.Context, in *SetRolesRequest, opts ...grpc.CallOption) (*SetRolesResponse, error) { + cOpts := append([]grpc.CallOption{grpc.StaticMethod()}, opts...) + out := new(SetRolesResponse) + err := c.cc.Invoke(ctx, AccountService_SetRoles_FullMethodName, in, out, cOpts...) + if err != nil { + return nil, err + } + return out, nil +} + +// AccountServiceServer is the server API for AccountService service. +// All implementations must embed UnimplementedAccountServiceServer +// for forward compatibility. +// +// AccountService manages accounts and roles. All RPCs require admin role. +type AccountServiceServer interface { + ListAccounts(context.Context, *ListAccountsRequest) (*ListAccountsResponse, error) + CreateAccount(context.Context, *CreateAccountRequest) (*CreateAccountResponse, error) + GetAccount(context.Context, *GetAccountRequest) (*GetAccountResponse, error) + UpdateAccount(context.Context, *UpdateAccountRequest) (*UpdateAccountResponse, error) + DeleteAccount(context.Context, *DeleteAccountRequest) (*DeleteAccountResponse, error) + GetRoles(context.Context, *GetRolesRequest) (*GetRolesResponse, error) + SetRoles(context.Context, *SetRolesRequest) (*SetRolesResponse, error) + mustEmbedUnimplementedAccountServiceServer() +} + +// UnimplementedAccountServiceServer must be embedded to have +// forward compatible implementations. +// +// NOTE: this should be embedded by value instead of pointer to avoid a nil +// pointer dereference when methods are called. +type UnimplementedAccountServiceServer struct{} + +func (UnimplementedAccountServiceServer) ListAccounts(context.Context, *ListAccountsRequest) (*ListAccountsResponse, error) { + return nil, status.Error(codes.Unimplemented, "method ListAccounts not implemented") +} +func (UnimplementedAccountServiceServer) CreateAccount(context.Context, *CreateAccountRequest) (*CreateAccountResponse, error) { + return nil, status.Error(codes.Unimplemented, "method CreateAccount not implemented") +} +func (UnimplementedAccountServiceServer) GetAccount(context.Context, *GetAccountRequest) (*GetAccountResponse, error) { + return nil, status.Error(codes.Unimplemented, "method GetAccount not implemented") +} +func (UnimplementedAccountServiceServer) UpdateAccount(context.Context, *UpdateAccountRequest) (*UpdateAccountResponse, error) { + return nil, status.Error(codes.Unimplemented, "method UpdateAccount not implemented") +} +func (UnimplementedAccountServiceServer) DeleteAccount(context.Context, *DeleteAccountRequest) (*DeleteAccountResponse, error) { + return nil, status.Error(codes.Unimplemented, "method DeleteAccount not implemented") +} +func (UnimplementedAccountServiceServer) GetRoles(context.Context, *GetRolesRequest) (*GetRolesResponse, error) { + return nil, status.Error(codes.Unimplemented, "method GetRoles not implemented") +} +func (UnimplementedAccountServiceServer) SetRoles(context.Context, *SetRolesRequest) (*SetRolesResponse, error) { + return nil, status.Error(codes.Unimplemented, "method SetRoles not implemented") +} +func (UnimplementedAccountServiceServer) mustEmbedUnimplementedAccountServiceServer() {} +func (UnimplementedAccountServiceServer) testEmbeddedByValue() {} + +// UnsafeAccountServiceServer may be embedded to opt out of forward compatibility for this service. +// Use of this interface is not recommended, as added methods to AccountServiceServer will +// result in compilation errors. +type UnsafeAccountServiceServer interface { + mustEmbedUnimplementedAccountServiceServer() +} + +func RegisterAccountServiceServer(s grpc.ServiceRegistrar, srv AccountServiceServer) { + // If the following call panics, it indicates UnimplementedAccountServiceServer was + // embedded by pointer and is nil. This will cause panics if an + // unimplemented method is ever invoked, so we test this at initialization + // time to prevent it from happening at runtime later due to I/O. + if t, ok := srv.(interface{ testEmbeddedByValue() }); ok { + t.testEmbeddedByValue() + } + s.RegisterService(&AccountService_ServiceDesc, srv) +} + +func _AccountService_ListAccounts_Handler(srv interface{}, ctx context.Context, dec func(interface{}) error, interceptor grpc.UnaryServerInterceptor) (interface{}, error) { + in := new(ListAccountsRequest) + if err := dec(in); err != nil { + return nil, err + } + if interceptor == nil { + return srv.(AccountServiceServer).ListAccounts(ctx, in) + } + info := &grpc.UnaryServerInfo{ + Server: srv, + FullMethod: AccountService_ListAccounts_FullMethodName, + } + handler := func(ctx context.Context, req interface{}) (interface{}, error) { + return srv.(AccountServiceServer).ListAccounts(ctx, req.(*ListAccountsRequest)) + } + return interceptor(ctx, in, info, handler) +} + +func _AccountService_CreateAccount_Handler(srv interface{}, ctx context.Context, dec func(interface{}) error, interceptor grpc.UnaryServerInterceptor) (interface{}, error) { + in := new(CreateAccountRequest) + if err := dec(in); err != nil { + return nil, err + } + if interceptor == nil { + return srv.(AccountServiceServer).CreateAccount(ctx, in) + } + info := &grpc.UnaryServerInfo{ + Server: srv, + FullMethod: AccountService_CreateAccount_FullMethodName, + } + handler := func(ctx context.Context, req interface{}) (interface{}, error) { + return srv.(AccountServiceServer).CreateAccount(ctx, req.(*CreateAccountRequest)) + } + return interceptor(ctx, in, info, handler) +} + +func _AccountService_GetAccount_Handler(srv interface{}, ctx context.Context, dec func(interface{}) error, interceptor grpc.UnaryServerInterceptor) (interface{}, error) { + in := new(GetAccountRequest) + if err := dec(in); err != nil { + return nil, err + } + if interceptor == nil { + return srv.(AccountServiceServer).GetAccount(ctx, in) + } + info := &grpc.UnaryServerInfo{ + Server: srv, + FullMethod: AccountService_GetAccount_FullMethodName, + } + handler := func(ctx context.Context, req interface{}) (interface{}, error) { + return srv.(AccountServiceServer).GetAccount(ctx, req.(*GetAccountRequest)) + } + return interceptor(ctx, in, info, handler) +} + +func _AccountService_UpdateAccount_Handler(srv interface{}, ctx context.Context, dec func(interface{}) error, interceptor grpc.UnaryServerInterceptor) (interface{}, error) { + in := new(UpdateAccountRequest) + if err := dec(in); err != nil { + return nil, err + } + if interceptor == nil { + return srv.(AccountServiceServer).UpdateAccount(ctx, in) + } + info := &grpc.UnaryServerInfo{ + Server: srv, + FullMethod: AccountService_UpdateAccount_FullMethodName, + } + handler := func(ctx context.Context, req interface{}) (interface{}, error) { + return srv.(AccountServiceServer).UpdateAccount(ctx, req.(*UpdateAccountRequest)) + } + return interceptor(ctx, in, info, handler) +} + +func _AccountService_DeleteAccount_Handler(srv interface{}, ctx context.Context, dec func(interface{}) error, interceptor grpc.UnaryServerInterceptor) (interface{}, error) { + in := new(DeleteAccountRequest) + if err := dec(in); err != nil { + return nil, err + } + if interceptor == nil { + return srv.(AccountServiceServer).DeleteAccount(ctx, in) + } + info := &grpc.UnaryServerInfo{ + Server: srv, + FullMethod: AccountService_DeleteAccount_FullMethodName, + } + handler := func(ctx context.Context, req interface{}) (interface{}, error) { + return srv.(AccountServiceServer).DeleteAccount(ctx, req.(*DeleteAccountRequest)) + } + return interceptor(ctx, in, info, handler) +} + +func _AccountService_GetRoles_Handler(srv interface{}, ctx context.Context, dec func(interface{}) error, interceptor grpc.UnaryServerInterceptor) (interface{}, error) { + in := new(GetRolesRequest) + if err := dec(in); err != nil { + return nil, err + } + if interceptor == nil { + return srv.(AccountServiceServer).GetRoles(ctx, in) + } + info := &grpc.UnaryServerInfo{ + Server: srv, + FullMethod: AccountService_GetRoles_FullMethodName, + } + handler := func(ctx context.Context, req interface{}) (interface{}, error) { + return srv.(AccountServiceServer).GetRoles(ctx, req.(*GetRolesRequest)) + } + return interceptor(ctx, in, info, handler) +} + +func _AccountService_SetRoles_Handler(srv interface{}, ctx context.Context, dec func(interface{}) error, interceptor grpc.UnaryServerInterceptor) (interface{}, error) { + in := new(SetRolesRequest) + if err := dec(in); err != nil { + return nil, err + } + if interceptor == nil { + return srv.(AccountServiceServer).SetRoles(ctx, in) + } + info := &grpc.UnaryServerInfo{ + Server: srv, + FullMethod: AccountService_SetRoles_FullMethodName, + } + handler := func(ctx context.Context, req interface{}) (interface{}, error) { + return srv.(AccountServiceServer).SetRoles(ctx, req.(*SetRolesRequest)) + } + return interceptor(ctx, in, info, handler) +} + +// AccountService_ServiceDesc is the grpc.ServiceDesc for AccountService service. +// It's only intended for direct use with grpc.RegisterService, +// and not to be introspected or modified (even as a copy) +var AccountService_ServiceDesc = grpc.ServiceDesc{ + ServiceName: "mcias.v1.AccountService", + HandlerType: (*AccountServiceServer)(nil), + Methods: []grpc.MethodDesc{ + { + MethodName: "ListAccounts", + Handler: _AccountService_ListAccounts_Handler, + }, + { + MethodName: "CreateAccount", + Handler: _AccountService_CreateAccount_Handler, + }, + { + MethodName: "GetAccount", + Handler: _AccountService_GetAccount_Handler, + }, + { + MethodName: "UpdateAccount", + Handler: _AccountService_UpdateAccount_Handler, + }, + { + MethodName: "DeleteAccount", + Handler: _AccountService_DeleteAccount_Handler, + }, + { + MethodName: "GetRoles", + Handler: _AccountService_GetRoles_Handler, + }, + { + MethodName: "SetRoles", + Handler: _AccountService_SetRoles_Handler, + }, + }, + Streams: []grpc.StreamDesc{}, + Metadata: "mcias/v1/account.proto", +} + +const ( + CredentialService_GetPGCreds_FullMethodName = "/mcias.v1.CredentialService/GetPGCreds" + CredentialService_SetPGCreds_FullMethodName = "/mcias.v1.CredentialService/SetPGCreds" +) + +// CredentialServiceClient is the client API for CredentialService service. +// +// For semantics around ctx use and closing/ending streaming RPCs, please refer to https://pkg.go.dev/google.golang.org/grpc/?tab=doc#ClientConn.NewStream. +// +// CredentialService manages Postgres credentials for system accounts. +// All RPCs require admin role. +type CredentialServiceClient interface { + GetPGCreds(ctx context.Context, in *GetPGCredsRequest, opts ...grpc.CallOption) (*GetPGCredsResponse, error) + SetPGCreds(ctx context.Context, in *SetPGCredsRequest, opts ...grpc.CallOption) (*SetPGCredsResponse, error) +} + +type credentialServiceClient struct { + cc grpc.ClientConnInterface +} + +func NewCredentialServiceClient(cc grpc.ClientConnInterface) CredentialServiceClient { + return &credentialServiceClient{cc} +} + +func (c *credentialServiceClient) GetPGCreds(ctx context.Context, in *GetPGCredsRequest, opts ...grpc.CallOption) (*GetPGCredsResponse, error) { + cOpts := append([]grpc.CallOption{grpc.StaticMethod()}, opts...) + out := new(GetPGCredsResponse) + err := c.cc.Invoke(ctx, CredentialService_GetPGCreds_FullMethodName, in, out, cOpts...) + if err != nil { + return nil, err + } + return out, nil +} + +func (c *credentialServiceClient) SetPGCreds(ctx context.Context, in *SetPGCredsRequest, opts ...grpc.CallOption) (*SetPGCredsResponse, error) { + cOpts := append([]grpc.CallOption{grpc.StaticMethod()}, opts...) + out := new(SetPGCredsResponse) + err := c.cc.Invoke(ctx, CredentialService_SetPGCreds_FullMethodName, in, out, cOpts...) + if err != nil { + return nil, err + } + return out, nil +} + +// CredentialServiceServer is the server API for CredentialService service. +// All implementations must embed UnimplementedCredentialServiceServer +// for forward compatibility. +// +// CredentialService manages Postgres credentials for system accounts. +// All RPCs require admin role. +type CredentialServiceServer interface { + GetPGCreds(context.Context, *GetPGCredsRequest) (*GetPGCredsResponse, error) + SetPGCreds(context.Context, *SetPGCredsRequest) (*SetPGCredsResponse, error) + mustEmbedUnimplementedCredentialServiceServer() +} + +// UnimplementedCredentialServiceServer must be embedded to have +// forward compatible implementations. +// +// NOTE: this should be embedded by value instead of pointer to avoid a nil +// pointer dereference when methods are called. +type UnimplementedCredentialServiceServer struct{} + +func (UnimplementedCredentialServiceServer) GetPGCreds(context.Context, *GetPGCredsRequest) (*GetPGCredsResponse, error) { + return nil, status.Error(codes.Unimplemented, "method GetPGCreds not implemented") +} +func (UnimplementedCredentialServiceServer) SetPGCreds(context.Context, *SetPGCredsRequest) (*SetPGCredsResponse, error) { + return nil, status.Error(codes.Unimplemented, "method SetPGCreds not implemented") +} +func (UnimplementedCredentialServiceServer) mustEmbedUnimplementedCredentialServiceServer() {} +func (UnimplementedCredentialServiceServer) testEmbeddedByValue() {} + +// UnsafeCredentialServiceServer may be embedded to opt out of forward compatibility for this service. +// Use of this interface is not recommended, as added methods to CredentialServiceServer will +// result in compilation errors. +type UnsafeCredentialServiceServer interface { + mustEmbedUnimplementedCredentialServiceServer() +} + +func RegisterCredentialServiceServer(s grpc.ServiceRegistrar, srv CredentialServiceServer) { + // If the following call panics, it indicates UnimplementedCredentialServiceServer was + // embedded by pointer and is nil. This will cause panics if an + // unimplemented method is ever invoked, so we test this at initialization + // time to prevent it from happening at runtime later due to I/O. + if t, ok := srv.(interface{ testEmbeddedByValue() }); ok { + t.testEmbeddedByValue() + } + s.RegisterService(&CredentialService_ServiceDesc, srv) +} + +func _CredentialService_GetPGCreds_Handler(srv interface{}, ctx context.Context, dec func(interface{}) error, interceptor grpc.UnaryServerInterceptor) (interface{}, error) { + in := new(GetPGCredsRequest) + if err := dec(in); err != nil { + return nil, err + } + if interceptor == nil { + return srv.(CredentialServiceServer).GetPGCreds(ctx, in) + } + info := &grpc.UnaryServerInfo{ + Server: srv, + FullMethod: CredentialService_GetPGCreds_FullMethodName, + } + handler := func(ctx context.Context, req interface{}) (interface{}, error) { + return srv.(CredentialServiceServer).GetPGCreds(ctx, req.(*GetPGCredsRequest)) + } + return interceptor(ctx, in, info, handler) +} + +func _CredentialService_SetPGCreds_Handler(srv interface{}, ctx context.Context, dec func(interface{}) error, interceptor grpc.UnaryServerInterceptor) (interface{}, error) { + in := new(SetPGCredsRequest) + if err := dec(in); err != nil { + return nil, err + } + if interceptor == nil { + return srv.(CredentialServiceServer).SetPGCreds(ctx, in) + } + info := &grpc.UnaryServerInfo{ + Server: srv, + FullMethod: CredentialService_SetPGCreds_FullMethodName, + } + handler := func(ctx context.Context, req interface{}) (interface{}, error) { + return srv.(CredentialServiceServer).SetPGCreds(ctx, req.(*SetPGCredsRequest)) + } + return interceptor(ctx, in, info, handler) +} + +// CredentialService_ServiceDesc is the grpc.ServiceDesc for CredentialService service. +// It's only intended for direct use with grpc.RegisterService, +// and not to be introspected or modified (even as a copy) +var CredentialService_ServiceDesc = grpc.ServiceDesc{ + ServiceName: "mcias.v1.CredentialService", + HandlerType: (*CredentialServiceServer)(nil), + Methods: []grpc.MethodDesc{ + { + MethodName: "GetPGCreds", + Handler: _CredentialService_GetPGCreds_Handler, + }, + { + MethodName: "SetPGCreds", + Handler: _CredentialService_SetPGCreds_Handler, + }, + }, + Streams: []grpc.StreamDesc{}, + Metadata: "mcias/v1/account.proto", +} diff --git a/gen/mcias/v1/admin.pb.go b/gen/mcias/v1/admin.pb.go new file mode 100644 index 0000000..3f2da7b --- /dev/null +++ b/gen/mcias/v1/admin.pb.go @@ -0,0 +1,296 @@ +// AdminService: health check and public-key retrieval. +// These RPCs are public — no authentication is required. + +// Code generated by protoc-gen-go. DO NOT EDIT. +// versions: +// protoc-gen-go v1.36.11 +// protoc v6.33.4 +// source: mcias/v1/admin.proto + +package mciasv1 + +import ( + protoreflect "google.golang.org/protobuf/reflect/protoreflect" + protoimpl "google.golang.org/protobuf/runtime/protoimpl" + reflect "reflect" + sync "sync" + unsafe "unsafe" +) + +const ( + // Verify that this generated code is sufficiently up-to-date. + _ = protoimpl.EnforceVersion(20 - protoimpl.MinVersion) + // Verify that runtime/protoimpl is sufficiently up-to-date. + _ = protoimpl.EnforceVersion(protoimpl.MaxVersion - 20) +) + +// HealthRequest carries no parameters. +type HealthRequest struct { + state protoimpl.MessageState `protogen:"open.v1"` + unknownFields protoimpl.UnknownFields + sizeCache protoimpl.SizeCache +} + +func (x *HealthRequest) Reset() { + *x = HealthRequest{} + mi := &file_mcias_v1_admin_proto_msgTypes[0] + ms := protoimpl.X.MessageStateOf(protoimpl.Pointer(x)) + ms.StoreMessageInfo(mi) +} + +func (x *HealthRequest) String() string { + return protoimpl.X.MessageStringOf(x) +} + +func (*HealthRequest) ProtoMessage() {} + +func (x *HealthRequest) ProtoReflect() protoreflect.Message { + mi := &file_mcias_v1_admin_proto_msgTypes[0] + if x != nil { + ms := protoimpl.X.MessageStateOf(protoimpl.Pointer(x)) + if ms.LoadMessageInfo() == nil { + ms.StoreMessageInfo(mi) + } + return ms + } + return mi.MessageOf(x) +} + +// Deprecated: Use HealthRequest.ProtoReflect.Descriptor instead. +func (*HealthRequest) Descriptor() ([]byte, []int) { + return file_mcias_v1_admin_proto_rawDescGZIP(), []int{0} +} + +// HealthResponse confirms the server is operational. +type HealthResponse struct { + state protoimpl.MessageState `protogen:"open.v1"` + Status string `protobuf:"bytes,1,opt,name=status,proto3" json:"status,omitempty"` // "ok" + unknownFields protoimpl.UnknownFields + sizeCache protoimpl.SizeCache +} + +func (x *HealthResponse) Reset() { + *x = HealthResponse{} + mi := &file_mcias_v1_admin_proto_msgTypes[1] + ms := protoimpl.X.MessageStateOf(protoimpl.Pointer(x)) + ms.StoreMessageInfo(mi) +} + +func (x *HealthResponse) String() string { + return protoimpl.X.MessageStringOf(x) +} + +func (*HealthResponse) ProtoMessage() {} + +func (x *HealthResponse) ProtoReflect() protoreflect.Message { + mi := &file_mcias_v1_admin_proto_msgTypes[1] + if x != nil { + ms := protoimpl.X.MessageStateOf(protoimpl.Pointer(x)) + if ms.LoadMessageInfo() == nil { + ms.StoreMessageInfo(mi) + } + return ms + } + return mi.MessageOf(x) +} + +// Deprecated: Use HealthResponse.ProtoReflect.Descriptor instead. +func (*HealthResponse) Descriptor() ([]byte, []int) { + return file_mcias_v1_admin_proto_rawDescGZIP(), []int{1} +} + +func (x *HealthResponse) GetStatus() string { + if x != nil { + return x.Status + } + return "" +} + +// GetPublicKeyRequest carries no parameters. +type GetPublicKeyRequest struct { + state protoimpl.MessageState `protogen:"open.v1"` + unknownFields protoimpl.UnknownFields + sizeCache protoimpl.SizeCache +} + +func (x *GetPublicKeyRequest) Reset() { + *x = GetPublicKeyRequest{} + mi := &file_mcias_v1_admin_proto_msgTypes[2] + ms := protoimpl.X.MessageStateOf(protoimpl.Pointer(x)) + ms.StoreMessageInfo(mi) +} + +func (x *GetPublicKeyRequest) String() string { + return protoimpl.X.MessageStringOf(x) +} + +func (*GetPublicKeyRequest) ProtoMessage() {} + +func (x *GetPublicKeyRequest) ProtoReflect() protoreflect.Message { + mi := &file_mcias_v1_admin_proto_msgTypes[2] + if x != nil { + ms := protoimpl.X.MessageStateOf(protoimpl.Pointer(x)) + if ms.LoadMessageInfo() == nil { + ms.StoreMessageInfo(mi) + } + return ms + } + return mi.MessageOf(x) +} + +// Deprecated: Use GetPublicKeyRequest.ProtoReflect.Descriptor instead. +func (*GetPublicKeyRequest) Descriptor() ([]byte, []int) { + return file_mcias_v1_admin_proto_rawDescGZIP(), []int{2} +} + +// GetPublicKeyResponse returns the Ed25519 public key in JWK format fields. +// The "x" field is the base64url-encoded 32-byte public key. +type GetPublicKeyResponse struct { + state protoimpl.MessageState `protogen:"open.v1"` + Kty string `protobuf:"bytes,1,opt,name=kty,proto3" json:"kty,omitempty"` // "OKP" + Crv string `protobuf:"bytes,2,opt,name=crv,proto3" json:"crv,omitempty"` // "Ed25519" + Use string `protobuf:"bytes,3,opt,name=use,proto3" json:"use,omitempty"` // "sig" + Alg string `protobuf:"bytes,4,opt,name=alg,proto3" json:"alg,omitempty"` // "EdDSA" + X string `protobuf:"bytes,5,opt,name=x,proto3" json:"x,omitempty"` // base64url-encoded public key bytes + unknownFields protoimpl.UnknownFields + sizeCache protoimpl.SizeCache +} + +func (x *GetPublicKeyResponse) Reset() { + *x = GetPublicKeyResponse{} + mi := &file_mcias_v1_admin_proto_msgTypes[3] + ms := protoimpl.X.MessageStateOf(protoimpl.Pointer(x)) + ms.StoreMessageInfo(mi) +} + +func (x *GetPublicKeyResponse) String() string { + return protoimpl.X.MessageStringOf(x) +} + +func (*GetPublicKeyResponse) ProtoMessage() {} + +func (x *GetPublicKeyResponse) ProtoReflect() protoreflect.Message { + mi := &file_mcias_v1_admin_proto_msgTypes[3] + if x != nil { + ms := protoimpl.X.MessageStateOf(protoimpl.Pointer(x)) + if ms.LoadMessageInfo() == nil { + ms.StoreMessageInfo(mi) + } + return ms + } + return mi.MessageOf(x) +} + +// Deprecated: Use GetPublicKeyResponse.ProtoReflect.Descriptor instead. +func (*GetPublicKeyResponse) Descriptor() ([]byte, []int) { + return file_mcias_v1_admin_proto_rawDescGZIP(), []int{3} +} + +func (x *GetPublicKeyResponse) GetKty() string { + if x != nil { + return x.Kty + } + return "" +} + +func (x *GetPublicKeyResponse) GetCrv() string { + if x != nil { + return x.Crv + } + return "" +} + +func (x *GetPublicKeyResponse) GetUse() string { + if x != nil { + return x.Use + } + return "" +} + +func (x *GetPublicKeyResponse) GetAlg() string { + if x != nil { + return x.Alg + } + return "" +} + +func (x *GetPublicKeyResponse) GetX() string { + if x != nil { + return x.X + } + return "" +} + +var File_mcias_v1_admin_proto protoreflect.FileDescriptor + +const file_mcias_v1_admin_proto_rawDesc = "" + + "\n" + + "\x14mcias/v1/admin.proto\x12\bmcias.v1\"\x0f\n" + + "\rHealthRequest\"(\n" + + "\x0eHealthResponse\x12\x16\n" + + "\x06status\x18\x01 \x01(\tR\x06status\"\x15\n" + + "\x13GetPublicKeyRequest\"l\n" + + "\x14GetPublicKeyResponse\x12\x10\n" + + "\x03kty\x18\x01 \x01(\tR\x03kty\x12\x10\n" + + "\x03crv\x18\x02 \x01(\tR\x03crv\x12\x10\n" + + "\x03use\x18\x03 \x01(\tR\x03use\x12\x10\n" + + "\x03alg\x18\x04 \x01(\tR\x03alg\x12\f\n" + + "\x01x\x18\x05 \x01(\tR\x01x2\x9a\x01\n" + + "\fAdminService\x12;\n" + + "\x06Health\x12\x17.mcias.v1.HealthRequest\x1a\x18.mcias.v1.HealthResponse\x12M\n" + + "\fGetPublicKey\x12\x1d.mcias.v1.GetPublicKeyRequest\x1a\x1e.mcias.v1.GetPublicKeyResponseB2Z0git.wntrmute.dev/kyle/mcias/gen/mcias/v1;mciasv1b\x06proto3" + +var ( + file_mcias_v1_admin_proto_rawDescOnce sync.Once + file_mcias_v1_admin_proto_rawDescData []byte +) + +func file_mcias_v1_admin_proto_rawDescGZIP() []byte { + file_mcias_v1_admin_proto_rawDescOnce.Do(func() { + file_mcias_v1_admin_proto_rawDescData = protoimpl.X.CompressGZIP(unsafe.Slice(unsafe.StringData(file_mcias_v1_admin_proto_rawDesc), len(file_mcias_v1_admin_proto_rawDesc))) + }) + return file_mcias_v1_admin_proto_rawDescData +} + +var file_mcias_v1_admin_proto_msgTypes = make([]protoimpl.MessageInfo, 4) +var file_mcias_v1_admin_proto_goTypes = []any{ + (*HealthRequest)(nil), // 0: mcias.v1.HealthRequest + (*HealthResponse)(nil), // 1: mcias.v1.HealthResponse + (*GetPublicKeyRequest)(nil), // 2: mcias.v1.GetPublicKeyRequest + (*GetPublicKeyResponse)(nil), // 3: mcias.v1.GetPublicKeyResponse +} +var file_mcias_v1_admin_proto_depIdxs = []int32{ + 0, // 0: mcias.v1.AdminService.Health:input_type -> mcias.v1.HealthRequest + 2, // 1: mcias.v1.AdminService.GetPublicKey:input_type -> mcias.v1.GetPublicKeyRequest + 1, // 2: mcias.v1.AdminService.Health:output_type -> mcias.v1.HealthResponse + 3, // 3: mcias.v1.AdminService.GetPublicKey:output_type -> mcias.v1.GetPublicKeyResponse + 2, // [2:4] is the sub-list for method output_type + 0, // [0:2] is the sub-list for method input_type + 0, // [0:0] is the sub-list for extension type_name + 0, // [0:0] is the sub-list for extension extendee + 0, // [0:0] is the sub-list for field type_name +} + +func init() { file_mcias_v1_admin_proto_init() } +func file_mcias_v1_admin_proto_init() { + if File_mcias_v1_admin_proto != nil { + return + } + type x struct{} + out := protoimpl.TypeBuilder{ + File: protoimpl.DescBuilder{ + GoPackagePath: reflect.TypeOf(x{}).PkgPath(), + RawDescriptor: unsafe.Slice(unsafe.StringData(file_mcias_v1_admin_proto_rawDesc), len(file_mcias_v1_admin_proto_rawDesc)), + NumEnums: 0, + NumMessages: 4, + NumExtensions: 0, + NumServices: 1, + }, + GoTypes: file_mcias_v1_admin_proto_goTypes, + DependencyIndexes: file_mcias_v1_admin_proto_depIdxs, + MessageInfos: file_mcias_v1_admin_proto_msgTypes, + }.Build() + File_mcias_v1_admin_proto = out.File + file_mcias_v1_admin_proto_goTypes = nil + file_mcias_v1_admin_proto_depIdxs = nil +} diff --git a/gen/mcias/v1/admin_grpc.pb.go b/gen/mcias/v1/admin_grpc.pb.go new file mode 100644 index 0000000..ddeabba --- /dev/null +++ b/gen/mcias/v1/admin_grpc.pb.go @@ -0,0 +1,172 @@ +// AdminService: health check and public-key retrieval. +// These RPCs are public — no authentication is required. + +// Code generated by protoc-gen-go-grpc. DO NOT EDIT. +// versions: +// - protoc-gen-go-grpc v1.6.1 +// - protoc v6.33.4 +// source: mcias/v1/admin.proto + +package mciasv1 + +import ( + context "context" + grpc "google.golang.org/grpc" + codes "google.golang.org/grpc/codes" + status "google.golang.org/grpc/status" +) + +// This is a compile-time assertion to ensure that this generated file +// is compatible with the grpc package it is being compiled against. +// Requires gRPC-Go v1.64.0 or later. +const _ = grpc.SupportPackageIsVersion9 + +const ( + AdminService_Health_FullMethodName = "/mcias.v1.AdminService/Health" + AdminService_GetPublicKey_FullMethodName = "/mcias.v1.AdminService/GetPublicKey" +) + +// AdminServiceClient is the client API for AdminService service. +// +// For semantics around ctx use and closing/ending streaming RPCs, please refer to https://pkg.go.dev/google.golang.org/grpc/?tab=doc#ClientConn.NewStream. +// +// AdminService exposes health and key-material endpoints. +// All RPCs bypass the auth interceptor. +type AdminServiceClient interface { + // Health returns OK when the server is operational. + Health(ctx context.Context, in *HealthRequest, opts ...grpc.CallOption) (*HealthResponse, error) + // GetPublicKey returns the Ed25519 public key used to verify JWTs. + GetPublicKey(ctx context.Context, in *GetPublicKeyRequest, opts ...grpc.CallOption) (*GetPublicKeyResponse, error) +} + +type adminServiceClient struct { + cc grpc.ClientConnInterface +} + +func NewAdminServiceClient(cc grpc.ClientConnInterface) AdminServiceClient { + return &adminServiceClient{cc} +} + +func (c *adminServiceClient) Health(ctx context.Context, in *HealthRequest, opts ...grpc.CallOption) (*HealthResponse, error) { + cOpts := append([]grpc.CallOption{grpc.StaticMethod()}, opts...) + out := new(HealthResponse) + err := c.cc.Invoke(ctx, AdminService_Health_FullMethodName, in, out, cOpts...) + if err != nil { + return nil, err + } + return out, nil +} + +func (c *adminServiceClient) GetPublicKey(ctx context.Context, in *GetPublicKeyRequest, opts ...grpc.CallOption) (*GetPublicKeyResponse, error) { + cOpts := append([]grpc.CallOption{grpc.StaticMethod()}, opts...) + out := new(GetPublicKeyResponse) + err := c.cc.Invoke(ctx, AdminService_GetPublicKey_FullMethodName, in, out, cOpts...) + if err != nil { + return nil, err + } + return out, nil +} + +// AdminServiceServer is the server API for AdminService service. +// All implementations must embed UnimplementedAdminServiceServer +// for forward compatibility. +// +// AdminService exposes health and key-material endpoints. +// All RPCs bypass the auth interceptor. +type AdminServiceServer interface { + // Health returns OK when the server is operational. + Health(context.Context, *HealthRequest) (*HealthResponse, error) + // GetPublicKey returns the Ed25519 public key used to verify JWTs. + GetPublicKey(context.Context, *GetPublicKeyRequest) (*GetPublicKeyResponse, error) + mustEmbedUnimplementedAdminServiceServer() +} + +// UnimplementedAdminServiceServer must be embedded to have +// forward compatible implementations. +// +// NOTE: this should be embedded by value instead of pointer to avoid a nil +// pointer dereference when methods are called. +type UnimplementedAdminServiceServer struct{} + +func (UnimplementedAdminServiceServer) Health(context.Context, *HealthRequest) (*HealthResponse, error) { + return nil, status.Error(codes.Unimplemented, "method Health not implemented") +} +func (UnimplementedAdminServiceServer) GetPublicKey(context.Context, *GetPublicKeyRequest) (*GetPublicKeyResponse, error) { + return nil, status.Error(codes.Unimplemented, "method GetPublicKey not implemented") +} +func (UnimplementedAdminServiceServer) mustEmbedUnimplementedAdminServiceServer() {} +func (UnimplementedAdminServiceServer) testEmbeddedByValue() {} + +// UnsafeAdminServiceServer may be embedded to opt out of forward compatibility for this service. +// Use of this interface is not recommended, as added methods to AdminServiceServer will +// result in compilation errors. +type UnsafeAdminServiceServer interface { + mustEmbedUnimplementedAdminServiceServer() +} + +func RegisterAdminServiceServer(s grpc.ServiceRegistrar, srv AdminServiceServer) { + // If the following call panics, it indicates UnimplementedAdminServiceServer was + // embedded by pointer and is nil. This will cause panics if an + // unimplemented method is ever invoked, so we test this at initialization + // time to prevent it from happening at runtime later due to I/O. + if t, ok := srv.(interface{ testEmbeddedByValue() }); ok { + t.testEmbeddedByValue() + } + s.RegisterService(&AdminService_ServiceDesc, srv) +} + +func _AdminService_Health_Handler(srv interface{}, ctx context.Context, dec func(interface{}) error, interceptor grpc.UnaryServerInterceptor) (interface{}, error) { + in := new(HealthRequest) + if err := dec(in); err != nil { + return nil, err + } + if interceptor == nil { + return srv.(AdminServiceServer).Health(ctx, in) + } + info := &grpc.UnaryServerInfo{ + Server: srv, + FullMethod: AdminService_Health_FullMethodName, + } + handler := func(ctx context.Context, req interface{}) (interface{}, error) { + return srv.(AdminServiceServer).Health(ctx, req.(*HealthRequest)) + } + return interceptor(ctx, in, info, handler) +} + +func _AdminService_GetPublicKey_Handler(srv interface{}, ctx context.Context, dec func(interface{}) error, interceptor grpc.UnaryServerInterceptor) (interface{}, error) { + in := new(GetPublicKeyRequest) + if err := dec(in); err != nil { + return nil, err + } + if interceptor == nil { + return srv.(AdminServiceServer).GetPublicKey(ctx, in) + } + info := &grpc.UnaryServerInfo{ + Server: srv, + FullMethod: AdminService_GetPublicKey_FullMethodName, + } + handler := func(ctx context.Context, req interface{}) (interface{}, error) { + return srv.(AdminServiceServer).GetPublicKey(ctx, req.(*GetPublicKeyRequest)) + } + return interceptor(ctx, in, info, handler) +} + +// AdminService_ServiceDesc is the grpc.ServiceDesc for AdminService service. +// It's only intended for direct use with grpc.RegisterService, +// and not to be introspected or modified (even as a copy) +var AdminService_ServiceDesc = grpc.ServiceDesc{ + ServiceName: "mcias.v1.AdminService", + HandlerType: (*AdminServiceServer)(nil), + Methods: []grpc.MethodDesc{ + { + MethodName: "Health", + Handler: _AdminService_Health_Handler, + }, + { + MethodName: "GetPublicKey", + Handler: _AdminService_GetPublicKey_Handler, + }, + }, + Streams: []grpc.StreamDesc{}, + Metadata: "mcias/v1/admin.proto", +} diff --git a/gen/mcias/v1/auth.pb.go b/gen/mcias/v1/auth.pb.go new file mode 100644 index 0000000..1bdd755 --- /dev/null +++ b/gen/mcias/v1/auth.pb.go @@ -0,0 +1,677 @@ +// AuthService: login, logout, token renewal, and TOTP management. + +// Code generated by protoc-gen-go. DO NOT EDIT. +// versions: +// protoc-gen-go v1.36.11 +// protoc v6.33.4 +// source: mcias/v1/auth.proto + +package mciasv1 + +import ( + protoreflect "google.golang.org/protobuf/reflect/protoreflect" + protoimpl "google.golang.org/protobuf/runtime/protoimpl" + timestamppb "google.golang.org/protobuf/types/known/timestamppb" + reflect "reflect" + sync "sync" + unsafe "unsafe" +) + +const ( + // Verify that this generated code is sufficiently up-to-date. + _ = protoimpl.EnforceVersion(20 - protoimpl.MinVersion) + // Verify that runtime/protoimpl is sufficiently up-to-date. + _ = protoimpl.EnforceVersion(protoimpl.MaxVersion - 20) +) + +// LoginRequest carries username/password and an optional TOTP code. +// Security: never logged; password and totp_code must not appear in audit logs. +type LoginRequest struct { + state protoimpl.MessageState `protogen:"open.v1"` + Username string `protobuf:"bytes,1,opt,name=username,proto3" json:"username,omitempty"` + Password string `protobuf:"bytes,2,opt,name=password,proto3" json:"password,omitempty"` // security: never logged or stored + TotpCode string `protobuf:"bytes,3,opt,name=totp_code,json=totpCode,proto3" json:"totp_code,omitempty"` // optional; required if TOTP enrolled + unknownFields protoimpl.UnknownFields + sizeCache protoimpl.SizeCache +} + +func (x *LoginRequest) Reset() { + *x = LoginRequest{} + mi := &file_mcias_v1_auth_proto_msgTypes[0] + ms := protoimpl.X.MessageStateOf(protoimpl.Pointer(x)) + ms.StoreMessageInfo(mi) +} + +func (x *LoginRequest) String() string { + return protoimpl.X.MessageStringOf(x) +} + +func (*LoginRequest) ProtoMessage() {} + +func (x *LoginRequest) ProtoReflect() protoreflect.Message { + mi := &file_mcias_v1_auth_proto_msgTypes[0] + if x != nil { + ms := protoimpl.X.MessageStateOf(protoimpl.Pointer(x)) + if ms.LoadMessageInfo() == nil { + ms.StoreMessageInfo(mi) + } + return ms + } + return mi.MessageOf(x) +} + +// Deprecated: Use LoginRequest.ProtoReflect.Descriptor instead. +func (*LoginRequest) Descriptor() ([]byte, []int) { + return file_mcias_v1_auth_proto_rawDescGZIP(), []int{0} +} + +func (x *LoginRequest) GetUsername() string { + if x != nil { + return x.Username + } + return "" +} + +func (x *LoginRequest) GetPassword() string { + if x != nil { + return x.Password + } + return "" +} + +func (x *LoginRequest) GetTotpCode() string { + if x != nil { + return x.TotpCode + } + return "" +} + +// LoginResponse returns the signed JWT and its expiry time. +// Security: token is a bearer credential; the caller must protect it. +type LoginResponse struct { + state protoimpl.MessageState `protogen:"open.v1"` + Token string `protobuf:"bytes,1,opt,name=token,proto3" json:"token,omitempty"` + ExpiresAt *timestamppb.Timestamp `protobuf:"bytes,2,opt,name=expires_at,json=expiresAt,proto3" json:"expires_at,omitempty"` + unknownFields protoimpl.UnknownFields + sizeCache protoimpl.SizeCache +} + +func (x *LoginResponse) Reset() { + *x = LoginResponse{} + mi := &file_mcias_v1_auth_proto_msgTypes[1] + ms := protoimpl.X.MessageStateOf(protoimpl.Pointer(x)) + ms.StoreMessageInfo(mi) +} + +func (x *LoginResponse) String() string { + return protoimpl.X.MessageStringOf(x) +} + +func (*LoginResponse) ProtoMessage() {} + +func (x *LoginResponse) ProtoReflect() protoreflect.Message { + mi := &file_mcias_v1_auth_proto_msgTypes[1] + if x != nil { + ms := protoimpl.X.MessageStateOf(protoimpl.Pointer(x)) + if ms.LoadMessageInfo() == nil { + ms.StoreMessageInfo(mi) + } + return ms + } + return mi.MessageOf(x) +} + +// Deprecated: Use LoginResponse.ProtoReflect.Descriptor instead. +func (*LoginResponse) Descriptor() ([]byte, []int) { + return file_mcias_v1_auth_proto_rawDescGZIP(), []int{1} +} + +func (x *LoginResponse) GetToken() string { + if x != nil { + return x.Token + } + return "" +} + +func (x *LoginResponse) GetExpiresAt() *timestamppb.Timestamp { + if x != nil { + return x.ExpiresAt + } + return nil +} + +// LogoutRequest carries no body; the token is extracted from gRPC metadata. +type LogoutRequest struct { + state protoimpl.MessageState `protogen:"open.v1"` + unknownFields protoimpl.UnknownFields + sizeCache protoimpl.SizeCache +} + +func (x *LogoutRequest) Reset() { + *x = LogoutRequest{} + mi := &file_mcias_v1_auth_proto_msgTypes[2] + ms := protoimpl.X.MessageStateOf(protoimpl.Pointer(x)) + ms.StoreMessageInfo(mi) +} + +func (x *LogoutRequest) String() string { + return protoimpl.X.MessageStringOf(x) +} + +func (*LogoutRequest) ProtoMessage() {} + +func (x *LogoutRequest) ProtoReflect() protoreflect.Message { + mi := &file_mcias_v1_auth_proto_msgTypes[2] + if x != nil { + ms := protoimpl.X.MessageStateOf(protoimpl.Pointer(x)) + if ms.LoadMessageInfo() == nil { + ms.StoreMessageInfo(mi) + } + return ms + } + return mi.MessageOf(x) +} + +// Deprecated: Use LogoutRequest.ProtoReflect.Descriptor instead. +func (*LogoutRequest) Descriptor() ([]byte, []int) { + return file_mcias_v1_auth_proto_rawDescGZIP(), []int{2} +} + +// LogoutResponse confirms the token has been revoked. +type LogoutResponse struct { + state protoimpl.MessageState `protogen:"open.v1"` + unknownFields protoimpl.UnknownFields + sizeCache protoimpl.SizeCache +} + +func (x *LogoutResponse) Reset() { + *x = LogoutResponse{} + mi := &file_mcias_v1_auth_proto_msgTypes[3] + ms := protoimpl.X.MessageStateOf(protoimpl.Pointer(x)) + ms.StoreMessageInfo(mi) +} + +func (x *LogoutResponse) String() string { + return protoimpl.X.MessageStringOf(x) +} + +func (*LogoutResponse) ProtoMessage() {} + +func (x *LogoutResponse) ProtoReflect() protoreflect.Message { + mi := &file_mcias_v1_auth_proto_msgTypes[3] + if x != nil { + ms := protoimpl.X.MessageStateOf(protoimpl.Pointer(x)) + if ms.LoadMessageInfo() == nil { + ms.StoreMessageInfo(mi) + } + return ms + } + return mi.MessageOf(x) +} + +// Deprecated: Use LogoutResponse.ProtoReflect.Descriptor instead. +func (*LogoutResponse) Descriptor() ([]byte, []int) { + return file_mcias_v1_auth_proto_rawDescGZIP(), []int{3} +} + +// RenewTokenRequest carries no body; the existing token is in metadata. +type RenewTokenRequest struct { + state protoimpl.MessageState `protogen:"open.v1"` + unknownFields protoimpl.UnknownFields + sizeCache protoimpl.SizeCache +} + +func (x *RenewTokenRequest) Reset() { + *x = RenewTokenRequest{} + mi := &file_mcias_v1_auth_proto_msgTypes[4] + ms := protoimpl.X.MessageStateOf(protoimpl.Pointer(x)) + ms.StoreMessageInfo(mi) +} + +func (x *RenewTokenRequest) String() string { + return protoimpl.X.MessageStringOf(x) +} + +func (*RenewTokenRequest) ProtoMessage() {} + +func (x *RenewTokenRequest) ProtoReflect() protoreflect.Message { + mi := &file_mcias_v1_auth_proto_msgTypes[4] + if x != nil { + ms := protoimpl.X.MessageStateOf(protoimpl.Pointer(x)) + if ms.LoadMessageInfo() == nil { + ms.StoreMessageInfo(mi) + } + return ms + } + return mi.MessageOf(x) +} + +// Deprecated: Use RenewTokenRequest.ProtoReflect.Descriptor instead. +func (*RenewTokenRequest) Descriptor() ([]byte, []int) { + return file_mcias_v1_auth_proto_rawDescGZIP(), []int{4} +} + +// RenewTokenResponse returns a new JWT with a fresh expiry. +type RenewTokenResponse struct { + state protoimpl.MessageState `protogen:"open.v1"` + Token string `protobuf:"bytes,1,opt,name=token,proto3" json:"token,omitempty"` + ExpiresAt *timestamppb.Timestamp `protobuf:"bytes,2,opt,name=expires_at,json=expiresAt,proto3" json:"expires_at,omitempty"` + unknownFields protoimpl.UnknownFields + sizeCache protoimpl.SizeCache +} + +func (x *RenewTokenResponse) Reset() { + *x = RenewTokenResponse{} + mi := &file_mcias_v1_auth_proto_msgTypes[5] + ms := protoimpl.X.MessageStateOf(protoimpl.Pointer(x)) + ms.StoreMessageInfo(mi) +} + +func (x *RenewTokenResponse) String() string { + return protoimpl.X.MessageStringOf(x) +} + +func (*RenewTokenResponse) ProtoMessage() {} + +func (x *RenewTokenResponse) ProtoReflect() protoreflect.Message { + mi := &file_mcias_v1_auth_proto_msgTypes[5] + if x != nil { + ms := protoimpl.X.MessageStateOf(protoimpl.Pointer(x)) + if ms.LoadMessageInfo() == nil { + ms.StoreMessageInfo(mi) + } + return ms + } + return mi.MessageOf(x) +} + +// Deprecated: Use RenewTokenResponse.ProtoReflect.Descriptor instead. +func (*RenewTokenResponse) Descriptor() ([]byte, []int) { + return file_mcias_v1_auth_proto_rawDescGZIP(), []int{5} +} + +func (x *RenewTokenResponse) GetToken() string { + if x != nil { + return x.Token + } + return "" +} + +func (x *RenewTokenResponse) GetExpiresAt() *timestamppb.Timestamp { + if x != nil { + return x.ExpiresAt + } + return nil +} + +// EnrollTOTPRequest carries no body; the acting account is from the JWT. +type EnrollTOTPRequest struct { + state protoimpl.MessageState `protogen:"open.v1"` + unknownFields protoimpl.UnknownFields + sizeCache protoimpl.SizeCache +} + +func (x *EnrollTOTPRequest) Reset() { + *x = EnrollTOTPRequest{} + mi := &file_mcias_v1_auth_proto_msgTypes[6] + ms := protoimpl.X.MessageStateOf(protoimpl.Pointer(x)) + ms.StoreMessageInfo(mi) +} + +func (x *EnrollTOTPRequest) String() string { + return protoimpl.X.MessageStringOf(x) +} + +func (*EnrollTOTPRequest) ProtoMessage() {} + +func (x *EnrollTOTPRequest) ProtoReflect() protoreflect.Message { + mi := &file_mcias_v1_auth_proto_msgTypes[6] + if x != nil { + ms := protoimpl.X.MessageStateOf(protoimpl.Pointer(x)) + if ms.LoadMessageInfo() == nil { + ms.StoreMessageInfo(mi) + } + return ms + } + return mi.MessageOf(x) +} + +// Deprecated: Use EnrollTOTPRequest.ProtoReflect.Descriptor instead. +func (*EnrollTOTPRequest) Descriptor() ([]byte, []int) { + return file_mcias_v1_auth_proto_rawDescGZIP(), []int{6} +} + +// EnrollTOTPResponse returns the TOTP secret and otpauth URI for display. +// Security: the secret is shown once; it is stored only in encrypted form. +type EnrollTOTPResponse struct { + state protoimpl.MessageState `protogen:"open.v1"` + Secret string `protobuf:"bytes,1,opt,name=secret,proto3" json:"secret,omitempty"` // base32-encoded; display once, then discard + OtpauthUri string `protobuf:"bytes,2,opt,name=otpauth_uri,json=otpauthUri,proto3" json:"otpauth_uri,omitempty"` + unknownFields protoimpl.UnknownFields + sizeCache protoimpl.SizeCache +} + +func (x *EnrollTOTPResponse) Reset() { + *x = EnrollTOTPResponse{} + mi := &file_mcias_v1_auth_proto_msgTypes[7] + ms := protoimpl.X.MessageStateOf(protoimpl.Pointer(x)) + ms.StoreMessageInfo(mi) +} + +func (x *EnrollTOTPResponse) String() string { + return protoimpl.X.MessageStringOf(x) +} + +func (*EnrollTOTPResponse) ProtoMessage() {} + +func (x *EnrollTOTPResponse) ProtoReflect() protoreflect.Message { + mi := &file_mcias_v1_auth_proto_msgTypes[7] + if x != nil { + ms := protoimpl.X.MessageStateOf(protoimpl.Pointer(x)) + if ms.LoadMessageInfo() == nil { + ms.StoreMessageInfo(mi) + } + return ms + } + return mi.MessageOf(x) +} + +// Deprecated: Use EnrollTOTPResponse.ProtoReflect.Descriptor instead. +func (*EnrollTOTPResponse) Descriptor() ([]byte, []int) { + return file_mcias_v1_auth_proto_rawDescGZIP(), []int{7} +} + +func (x *EnrollTOTPResponse) GetSecret() string { + if x != nil { + return x.Secret + } + return "" +} + +func (x *EnrollTOTPResponse) GetOtpauthUri() string { + if x != nil { + return x.OtpauthUri + } + return "" +} + +// ConfirmTOTPRequest carries the TOTP code to confirm enrollment. +type ConfirmTOTPRequest struct { + state protoimpl.MessageState `protogen:"open.v1"` + Code string `protobuf:"bytes,1,opt,name=code,proto3" json:"code,omitempty"` + unknownFields protoimpl.UnknownFields + sizeCache protoimpl.SizeCache +} + +func (x *ConfirmTOTPRequest) Reset() { + *x = ConfirmTOTPRequest{} + mi := &file_mcias_v1_auth_proto_msgTypes[8] + ms := protoimpl.X.MessageStateOf(protoimpl.Pointer(x)) + ms.StoreMessageInfo(mi) +} + +func (x *ConfirmTOTPRequest) String() string { + return protoimpl.X.MessageStringOf(x) +} + +func (*ConfirmTOTPRequest) ProtoMessage() {} + +func (x *ConfirmTOTPRequest) ProtoReflect() protoreflect.Message { + mi := &file_mcias_v1_auth_proto_msgTypes[8] + if x != nil { + ms := protoimpl.X.MessageStateOf(protoimpl.Pointer(x)) + if ms.LoadMessageInfo() == nil { + ms.StoreMessageInfo(mi) + } + return ms + } + return mi.MessageOf(x) +} + +// Deprecated: Use ConfirmTOTPRequest.ProtoReflect.Descriptor instead. +func (*ConfirmTOTPRequest) Descriptor() ([]byte, []int) { + return file_mcias_v1_auth_proto_rawDescGZIP(), []int{8} +} + +func (x *ConfirmTOTPRequest) GetCode() string { + if x != nil { + return x.Code + } + return "" +} + +// ConfirmTOTPResponse confirms TOTP enrollment is complete. +type ConfirmTOTPResponse struct { + state protoimpl.MessageState `protogen:"open.v1"` + unknownFields protoimpl.UnknownFields + sizeCache protoimpl.SizeCache +} + +func (x *ConfirmTOTPResponse) Reset() { + *x = ConfirmTOTPResponse{} + mi := &file_mcias_v1_auth_proto_msgTypes[9] + ms := protoimpl.X.MessageStateOf(protoimpl.Pointer(x)) + ms.StoreMessageInfo(mi) +} + +func (x *ConfirmTOTPResponse) String() string { + return protoimpl.X.MessageStringOf(x) +} + +func (*ConfirmTOTPResponse) ProtoMessage() {} + +func (x *ConfirmTOTPResponse) ProtoReflect() protoreflect.Message { + mi := &file_mcias_v1_auth_proto_msgTypes[9] + if x != nil { + ms := protoimpl.X.MessageStateOf(protoimpl.Pointer(x)) + if ms.LoadMessageInfo() == nil { + ms.StoreMessageInfo(mi) + } + return ms + } + return mi.MessageOf(x) +} + +// Deprecated: Use ConfirmTOTPResponse.ProtoReflect.Descriptor instead. +func (*ConfirmTOTPResponse) Descriptor() ([]byte, []int) { + return file_mcias_v1_auth_proto_rawDescGZIP(), []int{9} +} + +// RemoveTOTPRequest carries the target account ID (admin only). +type RemoveTOTPRequest struct { + state protoimpl.MessageState `protogen:"open.v1"` + AccountId string `protobuf:"bytes,1,opt,name=account_id,json=accountId,proto3" json:"account_id,omitempty"` // UUID of the account to remove TOTP from + unknownFields protoimpl.UnknownFields + sizeCache protoimpl.SizeCache +} + +func (x *RemoveTOTPRequest) Reset() { + *x = RemoveTOTPRequest{} + mi := &file_mcias_v1_auth_proto_msgTypes[10] + ms := protoimpl.X.MessageStateOf(protoimpl.Pointer(x)) + ms.StoreMessageInfo(mi) +} + +func (x *RemoveTOTPRequest) String() string { + return protoimpl.X.MessageStringOf(x) +} + +func (*RemoveTOTPRequest) ProtoMessage() {} + +func (x *RemoveTOTPRequest) ProtoReflect() protoreflect.Message { + mi := &file_mcias_v1_auth_proto_msgTypes[10] + if x != nil { + ms := protoimpl.X.MessageStateOf(protoimpl.Pointer(x)) + if ms.LoadMessageInfo() == nil { + ms.StoreMessageInfo(mi) + } + return ms + } + return mi.MessageOf(x) +} + +// Deprecated: Use RemoveTOTPRequest.ProtoReflect.Descriptor instead. +func (*RemoveTOTPRequest) Descriptor() ([]byte, []int) { + return file_mcias_v1_auth_proto_rawDescGZIP(), []int{10} +} + +func (x *RemoveTOTPRequest) GetAccountId() string { + if x != nil { + return x.AccountId + } + return "" +} + +// RemoveTOTPResponse confirms removal. +type RemoveTOTPResponse struct { + state protoimpl.MessageState `protogen:"open.v1"` + unknownFields protoimpl.UnknownFields + sizeCache protoimpl.SizeCache +} + +func (x *RemoveTOTPResponse) Reset() { + *x = RemoveTOTPResponse{} + mi := &file_mcias_v1_auth_proto_msgTypes[11] + ms := protoimpl.X.MessageStateOf(protoimpl.Pointer(x)) + ms.StoreMessageInfo(mi) +} + +func (x *RemoveTOTPResponse) String() string { + return protoimpl.X.MessageStringOf(x) +} + +func (*RemoveTOTPResponse) ProtoMessage() {} + +func (x *RemoveTOTPResponse) ProtoReflect() protoreflect.Message { + mi := &file_mcias_v1_auth_proto_msgTypes[11] + if x != nil { + ms := protoimpl.X.MessageStateOf(protoimpl.Pointer(x)) + if ms.LoadMessageInfo() == nil { + ms.StoreMessageInfo(mi) + } + return ms + } + return mi.MessageOf(x) +} + +// Deprecated: Use RemoveTOTPResponse.ProtoReflect.Descriptor instead. +func (*RemoveTOTPResponse) Descriptor() ([]byte, []int) { + return file_mcias_v1_auth_proto_rawDescGZIP(), []int{11} +} + +var File_mcias_v1_auth_proto protoreflect.FileDescriptor + +const file_mcias_v1_auth_proto_rawDesc = "" + + "\n" + + "\x13mcias/v1/auth.proto\x12\bmcias.v1\x1a\x1fgoogle/protobuf/timestamp.proto\"c\n" + + "\fLoginRequest\x12\x1a\n" + + "\busername\x18\x01 \x01(\tR\busername\x12\x1a\n" + + "\bpassword\x18\x02 \x01(\tR\bpassword\x12\x1b\n" + + "\ttotp_code\x18\x03 \x01(\tR\btotpCode\"`\n" + + "\rLoginResponse\x12\x14\n" + + "\x05token\x18\x01 \x01(\tR\x05token\x129\n" + + "\n" + + "expires_at\x18\x02 \x01(\v2\x1a.google.protobuf.TimestampR\texpiresAt\"\x0f\n" + + "\rLogoutRequest\"\x10\n" + + "\x0eLogoutResponse\"\x13\n" + + "\x11RenewTokenRequest\"e\n" + + "\x12RenewTokenResponse\x12\x14\n" + + "\x05token\x18\x01 \x01(\tR\x05token\x129\n" + + "\n" + + "expires_at\x18\x02 \x01(\v2\x1a.google.protobuf.TimestampR\texpiresAt\"\x13\n" + + "\x11EnrollTOTPRequest\"M\n" + + "\x12EnrollTOTPResponse\x12\x16\n" + + "\x06secret\x18\x01 \x01(\tR\x06secret\x12\x1f\n" + + "\votpauth_uri\x18\x02 \x01(\tR\n" + + "otpauthUri\"(\n" + + "\x12ConfirmTOTPRequest\x12\x12\n" + + "\x04code\x18\x01 \x01(\tR\x04code\"\x15\n" + + "\x13ConfirmTOTPResponse\"2\n" + + "\x11RemoveTOTPRequest\x12\x1d\n" + + "\n" + + "account_id\x18\x01 \x01(\tR\taccountId\"\x14\n" + + "\x12RemoveTOTPResponse2\xab\x03\n" + + "\vAuthService\x128\n" + + "\x05Login\x12\x16.mcias.v1.LoginRequest\x1a\x17.mcias.v1.LoginResponse\x12;\n" + + "\x06Logout\x12\x17.mcias.v1.LogoutRequest\x1a\x18.mcias.v1.LogoutResponse\x12G\n" + + "\n" + + "RenewToken\x12\x1b.mcias.v1.RenewTokenRequest\x1a\x1c.mcias.v1.RenewTokenResponse\x12G\n" + + "\n" + + "EnrollTOTP\x12\x1b.mcias.v1.EnrollTOTPRequest\x1a\x1c.mcias.v1.EnrollTOTPResponse\x12J\n" + + "\vConfirmTOTP\x12\x1c.mcias.v1.ConfirmTOTPRequest\x1a\x1d.mcias.v1.ConfirmTOTPResponse\x12G\n" + + "\n" + + "RemoveTOTP\x12\x1b.mcias.v1.RemoveTOTPRequest\x1a\x1c.mcias.v1.RemoveTOTPResponseB2Z0git.wntrmute.dev/kyle/mcias/gen/mcias/v1;mciasv1b\x06proto3" + +var ( + file_mcias_v1_auth_proto_rawDescOnce sync.Once + file_mcias_v1_auth_proto_rawDescData []byte +) + +func file_mcias_v1_auth_proto_rawDescGZIP() []byte { + file_mcias_v1_auth_proto_rawDescOnce.Do(func() { + file_mcias_v1_auth_proto_rawDescData = protoimpl.X.CompressGZIP(unsafe.Slice(unsafe.StringData(file_mcias_v1_auth_proto_rawDesc), len(file_mcias_v1_auth_proto_rawDesc))) + }) + return file_mcias_v1_auth_proto_rawDescData +} + +var file_mcias_v1_auth_proto_msgTypes = make([]protoimpl.MessageInfo, 12) +var file_mcias_v1_auth_proto_goTypes = []any{ + (*LoginRequest)(nil), // 0: mcias.v1.LoginRequest + (*LoginResponse)(nil), // 1: mcias.v1.LoginResponse + (*LogoutRequest)(nil), // 2: mcias.v1.LogoutRequest + (*LogoutResponse)(nil), // 3: mcias.v1.LogoutResponse + (*RenewTokenRequest)(nil), // 4: mcias.v1.RenewTokenRequest + (*RenewTokenResponse)(nil), // 5: mcias.v1.RenewTokenResponse + (*EnrollTOTPRequest)(nil), // 6: mcias.v1.EnrollTOTPRequest + (*EnrollTOTPResponse)(nil), // 7: mcias.v1.EnrollTOTPResponse + (*ConfirmTOTPRequest)(nil), // 8: mcias.v1.ConfirmTOTPRequest + (*ConfirmTOTPResponse)(nil), // 9: mcias.v1.ConfirmTOTPResponse + (*RemoveTOTPRequest)(nil), // 10: mcias.v1.RemoveTOTPRequest + (*RemoveTOTPResponse)(nil), // 11: mcias.v1.RemoveTOTPResponse + (*timestamppb.Timestamp)(nil), // 12: google.protobuf.Timestamp +} +var file_mcias_v1_auth_proto_depIdxs = []int32{ + 12, // 0: mcias.v1.LoginResponse.expires_at:type_name -> google.protobuf.Timestamp + 12, // 1: mcias.v1.RenewTokenResponse.expires_at:type_name -> google.protobuf.Timestamp + 0, // 2: mcias.v1.AuthService.Login:input_type -> mcias.v1.LoginRequest + 2, // 3: mcias.v1.AuthService.Logout:input_type -> mcias.v1.LogoutRequest + 4, // 4: mcias.v1.AuthService.RenewToken:input_type -> mcias.v1.RenewTokenRequest + 6, // 5: mcias.v1.AuthService.EnrollTOTP:input_type -> mcias.v1.EnrollTOTPRequest + 8, // 6: mcias.v1.AuthService.ConfirmTOTP:input_type -> mcias.v1.ConfirmTOTPRequest + 10, // 7: mcias.v1.AuthService.RemoveTOTP:input_type -> mcias.v1.RemoveTOTPRequest + 1, // 8: mcias.v1.AuthService.Login:output_type -> mcias.v1.LoginResponse + 3, // 9: mcias.v1.AuthService.Logout:output_type -> mcias.v1.LogoutResponse + 5, // 10: mcias.v1.AuthService.RenewToken:output_type -> mcias.v1.RenewTokenResponse + 7, // 11: mcias.v1.AuthService.EnrollTOTP:output_type -> mcias.v1.EnrollTOTPResponse + 9, // 12: mcias.v1.AuthService.ConfirmTOTP:output_type -> mcias.v1.ConfirmTOTPResponse + 11, // 13: mcias.v1.AuthService.RemoveTOTP:output_type -> mcias.v1.RemoveTOTPResponse + 8, // [8:14] is the sub-list for method output_type + 2, // [2:8] is the sub-list for method input_type + 2, // [2:2] is the sub-list for extension type_name + 2, // [2:2] is the sub-list for extension extendee + 0, // [0:2] is the sub-list for field type_name +} + +func init() { file_mcias_v1_auth_proto_init() } +func file_mcias_v1_auth_proto_init() { + if File_mcias_v1_auth_proto != nil { + return + } + type x struct{} + out := protoimpl.TypeBuilder{ + File: protoimpl.DescBuilder{ + GoPackagePath: reflect.TypeOf(x{}).PkgPath(), + RawDescriptor: unsafe.Slice(unsafe.StringData(file_mcias_v1_auth_proto_rawDesc), len(file_mcias_v1_auth_proto_rawDesc)), + NumEnums: 0, + NumMessages: 12, + NumExtensions: 0, + NumServices: 1, + }, + GoTypes: file_mcias_v1_auth_proto_goTypes, + DependencyIndexes: file_mcias_v1_auth_proto_depIdxs, + MessageInfos: file_mcias_v1_auth_proto_msgTypes, + }.Build() + File_mcias_v1_auth_proto = out.File + file_mcias_v1_auth_proto_goTypes = nil + file_mcias_v1_auth_proto_depIdxs = nil +} diff --git a/gen/mcias/v1/auth_grpc.pb.go b/gen/mcias/v1/auth_grpc.pb.go new file mode 100644 index 0000000..eda8857 --- /dev/null +++ b/gen/mcias/v1/auth_grpc.pb.go @@ -0,0 +1,341 @@ +// AuthService: login, logout, token renewal, and TOTP management. + +// Code generated by protoc-gen-go-grpc. DO NOT EDIT. +// versions: +// - protoc-gen-go-grpc v1.6.1 +// - protoc v6.33.4 +// source: mcias/v1/auth.proto + +package mciasv1 + +import ( + context "context" + grpc "google.golang.org/grpc" + codes "google.golang.org/grpc/codes" + status "google.golang.org/grpc/status" +) + +// This is a compile-time assertion to ensure that this generated file +// is compatible with the grpc package it is being compiled against. +// Requires gRPC-Go v1.64.0 or later. +const _ = grpc.SupportPackageIsVersion9 + +const ( + AuthService_Login_FullMethodName = "/mcias.v1.AuthService/Login" + AuthService_Logout_FullMethodName = "/mcias.v1.AuthService/Logout" + AuthService_RenewToken_FullMethodName = "/mcias.v1.AuthService/RenewToken" + AuthService_EnrollTOTP_FullMethodName = "/mcias.v1.AuthService/EnrollTOTP" + AuthService_ConfirmTOTP_FullMethodName = "/mcias.v1.AuthService/ConfirmTOTP" + AuthService_RemoveTOTP_FullMethodName = "/mcias.v1.AuthService/RemoveTOTP" +) + +// AuthServiceClient is the client API for AuthService service. +// +// For semantics around ctx use and closing/ending streaming RPCs, please refer to https://pkg.go.dev/google.golang.org/grpc/?tab=doc#ClientConn.NewStream. +// +// AuthService handles all authentication flows. +type AuthServiceClient interface { + // Login authenticates with username+password (+optional TOTP) and returns a JWT. + // Public RPC — no auth required. + Login(ctx context.Context, in *LoginRequest, opts ...grpc.CallOption) (*LoginResponse, error) + // Logout revokes the caller's current token. + // Requires: valid JWT in metadata. + Logout(ctx context.Context, in *LogoutRequest, opts ...grpc.CallOption) (*LogoutResponse, error) + // RenewToken exchanges the caller's token for a fresh one. + // Requires: valid JWT in metadata. + RenewToken(ctx context.Context, in *RenewTokenRequest, opts ...grpc.CallOption) (*RenewTokenResponse, error) + // EnrollTOTP begins TOTP enrollment for the calling account. + // Requires: valid JWT in metadata. + EnrollTOTP(ctx context.Context, in *EnrollTOTPRequest, opts ...grpc.CallOption) (*EnrollTOTPResponse, error) + // ConfirmTOTP confirms TOTP enrollment with a code from the authenticator app. + // Requires: valid JWT in metadata. + ConfirmTOTP(ctx context.Context, in *ConfirmTOTPRequest, opts ...grpc.CallOption) (*ConfirmTOTPResponse, error) + // RemoveTOTP removes TOTP from an account (admin only). + // Requires: admin JWT in metadata. + RemoveTOTP(ctx context.Context, in *RemoveTOTPRequest, opts ...grpc.CallOption) (*RemoveTOTPResponse, error) +} + +type authServiceClient struct { + cc grpc.ClientConnInterface +} + +func NewAuthServiceClient(cc grpc.ClientConnInterface) AuthServiceClient { + return &authServiceClient{cc} +} + +func (c *authServiceClient) Login(ctx context.Context, in *LoginRequest, opts ...grpc.CallOption) (*LoginResponse, error) { + cOpts := append([]grpc.CallOption{grpc.StaticMethod()}, opts...) + out := new(LoginResponse) + err := c.cc.Invoke(ctx, AuthService_Login_FullMethodName, in, out, cOpts...) + if err != nil { + return nil, err + } + return out, nil +} + +func (c *authServiceClient) Logout(ctx context.Context, in *LogoutRequest, opts ...grpc.CallOption) (*LogoutResponse, error) { + cOpts := append([]grpc.CallOption{grpc.StaticMethod()}, opts...) + out := new(LogoutResponse) + err := c.cc.Invoke(ctx, AuthService_Logout_FullMethodName, in, out, cOpts...) + if err != nil { + return nil, err + } + return out, nil +} + +func (c *authServiceClient) RenewToken(ctx context.Context, in *RenewTokenRequest, opts ...grpc.CallOption) (*RenewTokenResponse, error) { + cOpts := append([]grpc.CallOption{grpc.StaticMethod()}, opts...) + out := new(RenewTokenResponse) + err := c.cc.Invoke(ctx, AuthService_RenewToken_FullMethodName, in, out, cOpts...) + if err != nil { + return nil, err + } + return out, nil +} + +func (c *authServiceClient) EnrollTOTP(ctx context.Context, in *EnrollTOTPRequest, opts ...grpc.CallOption) (*EnrollTOTPResponse, error) { + cOpts := append([]grpc.CallOption{grpc.StaticMethod()}, opts...) + out := new(EnrollTOTPResponse) + err := c.cc.Invoke(ctx, AuthService_EnrollTOTP_FullMethodName, in, out, cOpts...) + if err != nil { + return nil, err + } + return out, nil +} + +func (c *authServiceClient) ConfirmTOTP(ctx context.Context, in *ConfirmTOTPRequest, opts ...grpc.CallOption) (*ConfirmTOTPResponse, error) { + cOpts := append([]grpc.CallOption{grpc.StaticMethod()}, opts...) + out := new(ConfirmTOTPResponse) + err := c.cc.Invoke(ctx, AuthService_ConfirmTOTP_FullMethodName, in, out, cOpts...) + if err != nil { + return nil, err + } + return out, nil +} + +func (c *authServiceClient) RemoveTOTP(ctx context.Context, in *RemoveTOTPRequest, opts ...grpc.CallOption) (*RemoveTOTPResponse, error) { + cOpts := append([]grpc.CallOption{grpc.StaticMethod()}, opts...) + out := new(RemoveTOTPResponse) + err := c.cc.Invoke(ctx, AuthService_RemoveTOTP_FullMethodName, in, out, cOpts...) + if err != nil { + return nil, err + } + return out, nil +} + +// AuthServiceServer is the server API for AuthService service. +// All implementations must embed UnimplementedAuthServiceServer +// for forward compatibility. +// +// AuthService handles all authentication flows. +type AuthServiceServer interface { + // Login authenticates with username+password (+optional TOTP) and returns a JWT. + // Public RPC — no auth required. + Login(context.Context, *LoginRequest) (*LoginResponse, error) + // Logout revokes the caller's current token. + // Requires: valid JWT in metadata. + Logout(context.Context, *LogoutRequest) (*LogoutResponse, error) + // RenewToken exchanges the caller's token for a fresh one. + // Requires: valid JWT in metadata. + RenewToken(context.Context, *RenewTokenRequest) (*RenewTokenResponse, error) + // EnrollTOTP begins TOTP enrollment for the calling account. + // Requires: valid JWT in metadata. + EnrollTOTP(context.Context, *EnrollTOTPRequest) (*EnrollTOTPResponse, error) + // ConfirmTOTP confirms TOTP enrollment with a code from the authenticator app. + // Requires: valid JWT in metadata. + ConfirmTOTP(context.Context, *ConfirmTOTPRequest) (*ConfirmTOTPResponse, error) + // RemoveTOTP removes TOTP from an account (admin only). + // Requires: admin JWT in metadata. + RemoveTOTP(context.Context, *RemoveTOTPRequest) (*RemoveTOTPResponse, error) + mustEmbedUnimplementedAuthServiceServer() +} + +// UnimplementedAuthServiceServer must be embedded to have +// forward compatible implementations. +// +// NOTE: this should be embedded by value instead of pointer to avoid a nil +// pointer dereference when methods are called. +type UnimplementedAuthServiceServer struct{} + +func (UnimplementedAuthServiceServer) Login(context.Context, *LoginRequest) (*LoginResponse, error) { + return nil, status.Error(codes.Unimplemented, "method Login not implemented") +} +func (UnimplementedAuthServiceServer) Logout(context.Context, *LogoutRequest) (*LogoutResponse, error) { + return nil, status.Error(codes.Unimplemented, "method Logout not implemented") +} +func (UnimplementedAuthServiceServer) RenewToken(context.Context, *RenewTokenRequest) (*RenewTokenResponse, error) { + return nil, status.Error(codes.Unimplemented, "method RenewToken not implemented") +} +func (UnimplementedAuthServiceServer) EnrollTOTP(context.Context, *EnrollTOTPRequest) (*EnrollTOTPResponse, error) { + return nil, status.Error(codes.Unimplemented, "method EnrollTOTP not implemented") +} +func (UnimplementedAuthServiceServer) ConfirmTOTP(context.Context, *ConfirmTOTPRequest) (*ConfirmTOTPResponse, error) { + return nil, status.Error(codes.Unimplemented, "method ConfirmTOTP not implemented") +} +func (UnimplementedAuthServiceServer) RemoveTOTP(context.Context, *RemoveTOTPRequest) (*RemoveTOTPResponse, error) { + return nil, status.Error(codes.Unimplemented, "method RemoveTOTP not implemented") +} +func (UnimplementedAuthServiceServer) mustEmbedUnimplementedAuthServiceServer() {} +func (UnimplementedAuthServiceServer) testEmbeddedByValue() {} + +// UnsafeAuthServiceServer may be embedded to opt out of forward compatibility for this service. +// Use of this interface is not recommended, as added methods to AuthServiceServer will +// result in compilation errors. +type UnsafeAuthServiceServer interface { + mustEmbedUnimplementedAuthServiceServer() +} + +func RegisterAuthServiceServer(s grpc.ServiceRegistrar, srv AuthServiceServer) { + // If the following call panics, it indicates UnimplementedAuthServiceServer was + // embedded by pointer and is nil. This will cause panics if an + // unimplemented method is ever invoked, so we test this at initialization + // time to prevent it from happening at runtime later due to I/O. + if t, ok := srv.(interface{ testEmbeddedByValue() }); ok { + t.testEmbeddedByValue() + } + s.RegisterService(&AuthService_ServiceDesc, srv) +} + +func _AuthService_Login_Handler(srv interface{}, ctx context.Context, dec func(interface{}) error, interceptor grpc.UnaryServerInterceptor) (interface{}, error) { + in := new(LoginRequest) + if err := dec(in); err != nil { + return nil, err + } + if interceptor == nil { + return srv.(AuthServiceServer).Login(ctx, in) + } + info := &grpc.UnaryServerInfo{ + Server: srv, + FullMethod: AuthService_Login_FullMethodName, + } + handler := func(ctx context.Context, req interface{}) (interface{}, error) { + return srv.(AuthServiceServer).Login(ctx, req.(*LoginRequest)) + } + return interceptor(ctx, in, info, handler) +} + +func _AuthService_Logout_Handler(srv interface{}, ctx context.Context, dec func(interface{}) error, interceptor grpc.UnaryServerInterceptor) (interface{}, error) { + in := new(LogoutRequest) + if err := dec(in); err != nil { + return nil, err + } + if interceptor == nil { + return srv.(AuthServiceServer).Logout(ctx, in) + } + info := &grpc.UnaryServerInfo{ + Server: srv, + FullMethod: AuthService_Logout_FullMethodName, + } + handler := func(ctx context.Context, req interface{}) (interface{}, error) { + return srv.(AuthServiceServer).Logout(ctx, req.(*LogoutRequest)) + } + return interceptor(ctx, in, info, handler) +} + +func _AuthService_RenewToken_Handler(srv interface{}, ctx context.Context, dec func(interface{}) error, interceptor grpc.UnaryServerInterceptor) (interface{}, error) { + in := new(RenewTokenRequest) + if err := dec(in); err != nil { + return nil, err + } + if interceptor == nil { + return srv.(AuthServiceServer).RenewToken(ctx, in) + } + info := &grpc.UnaryServerInfo{ + Server: srv, + FullMethod: AuthService_RenewToken_FullMethodName, + } + handler := func(ctx context.Context, req interface{}) (interface{}, error) { + return srv.(AuthServiceServer).RenewToken(ctx, req.(*RenewTokenRequest)) + } + return interceptor(ctx, in, info, handler) +} + +func _AuthService_EnrollTOTP_Handler(srv interface{}, ctx context.Context, dec func(interface{}) error, interceptor grpc.UnaryServerInterceptor) (interface{}, error) { + in := new(EnrollTOTPRequest) + if err := dec(in); err != nil { + return nil, err + } + if interceptor == nil { + return srv.(AuthServiceServer).EnrollTOTP(ctx, in) + } + info := &grpc.UnaryServerInfo{ + Server: srv, + FullMethod: AuthService_EnrollTOTP_FullMethodName, + } + handler := func(ctx context.Context, req interface{}) (interface{}, error) { + return srv.(AuthServiceServer).EnrollTOTP(ctx, req.(*EnrollTOTPRequest)) + } + return interceptor(ctx, in, info, handler) +} + +func _AuthService_ConfirmTOTP_Handler(srv interface{}, ctx context.Context, dec func(interface{}) error, interceptor grpc.UnaryServerInterceptor) (interface{}, error) { + in := new(ConfirmTOTPRequest) + if err := dec(in); err != nil { + return nil, err + } + if interceptor == nil { + return srv.(AuthServiceServer).ConfirmTOTP(ctx, in) + } + info := &grpc.UnaryServerInfo{ + Server: srv, + FullMethod: AuthService_ConfirmTOTP_FullMethodName, + } + handler := func(ctx context.Context, req interface{}) (interface{}, error) { + return srv.(AuthServiceServer).ConfirmTOTP(ctx, req.(*ConfirmTOTPRequest)) + } + return interceptor(ctx, in, info, handler) +} + +func _AuthService_RemoveTOTP_Handler(srv interface{}, ctx context.Context, dec func(interface{}) error, interceptor grpc.UnaryServerInterceptor) (interface{}, error) { + in := new(RemoveTOTPRequest) + if err := dec(in); err != nil { + return nil, err + } + if interceptor == nil { + return srv.(AuthServiceServer).RemoveTOTP(ctx, in) + } + info := &grpc.UnaryServerInfo{ + Server: srv, + FullMethod: AuthService_RemoveTOTP_FullMethodName, + } + handler := func(ctx context.Context, req interface{}) (interface{}, error) { + return srv.(AuthServiceServer).RemoveTOTP(ctx, req.(*RemoveTOTPRequest)) + } + return interceptor(ctx, in, info, handler) +} + +// AuthService_ServiceDesc is the grpc.ServiceDesc for AuthService service. +// It's only intended for direct use with grpc.RegisterService, +// and not to be introspected or modified (even as a copy) +var AuthService_ServiceDesc = grpc.ServiceDesc{ + ServiceName: "mcias.v1.AuthService", + HandlerType: (*AuthServiceServer)(nil), + Methods: []grpc.MethodDesc{ + { + MethodName: "Login", + Handler: _AuthService_Login_Handler, + }, + { + MethodName: "Logout", + Handler: _AuthService_Logout_Handler, + }, + { + MethodName: "RenewToken", + Handler: _AuthService_RenewToken_Handler, + }, + { + MethodName: "EnrollTOTP", + Handler: _AuthService_EnrollTOTP_Handler, + }, + { + MethodName: "ConfirmTOTP", + Handler: _AuthService_ConfirmTOTP_Handler, + }, + { + MethodName: "RemoveTOTP", + Handler: _AuthService_RemoveTOTP_Handler, + }, + }, + Streams: []grpc.StreamDesc{}, + Metadata: "mcias/v1/auth.proto", +} diff --git a/gen/mcias/v1/common.pb.go b/gen/mcias/v1/common.pb.go new file mode 100644 index 0000000..4880699 --- /dev/null +++ b/gen/mcias/v1/common.pb.go @@ -0,0 +1,409 @@ +// Common message types shared across MCIAS gRPC services. + +// Code generated by protoc-gen-go. DO NOT EDIT. +// versions: +// protoc-gen-go v1.36.11 +// protoc v6.33.4 +// source: mcias/v1/common.proto + +package mciasv1 + +import ( + protoreflect "google.golang.org/protobuf/reflect/protoreflect" + protoimpl "google.golang.org/protobuf/runtime/protoimpl" + timestamppb "google.golang.org/protobuf/types/known/timestamppb" + reflect "reflect" + sync "sync" + unsafe "unsafe" +) + +const ( + // Verify that this generated code is sufficiently up-to-date. + _ = protoimpl.EnforceVersion(20 - protoimpl.MinVersion) + // Verify that runtime/protoimpl is sufficiently up-to-date. + _ = protoimpl.EnforceVersion(protoimpl.MaxVersion - 20) +) + +// Account represents a user or service identity. Credential fields +// (password_hash, totp_secret) are never included in any response. +type Account struct { + state protoimpl.MessageState `protogen:"open.v1"` + Id string `protobuf:"bytes,1,opt,name=id,proto3" json:"id,omitempty"` // UUID + Username string `protobuf:"bytes,2,opt,name=username,proto3" json:"username,omitempty"` + AccountType string `protobuf:"bytes,3,opt,name=account_type,json=accountType,proto3" json:"account_type,omitempty"` // "human" or "system" + Status string `protobuf:"bytes,4,opt,name=status,proto3" json:"status,omitempty"` // "active", "inactive", or "deleted" + TotpEnabled bool `protobuf:"varint,5,opt,name=totp_enabled,json=totpEnabled,proto3" json:"totp_enabled,omitempty"` + CreatedAt *timestamppb.Timestamp `protobuf:"bytes,6,opt,name=created_at,json=createdAt,proto3" json:"created_at,omitempty"` + UpdatedAt *timestamppb.Timestamp `protobuf:"bytes,7,opt,name=updated_at,json=updatedAt,proto3" json:"updated_at,omitempty"` + unknownFields protoimpl.UnknownFields + sizeCache protoimpl.SizeCache +} + +func (x *Account) Reset() { + *x = Account{} + mi := &file_mcias_v1_common_proto_msgTypes[0] + ms := protoimpl.X.MessageStateOf(protoimpl.Pointer(x)) + ms.StoreMessageInfo(mi) +} + +func (x *Account) String() string { + return protoimpl.X.MessageStringOf(x) +} + +func (*Account) ProtoMessage() {} + +func (x *Account) ProtoReflect() protoreflect.Message { + mi := &file_mcias_v1_common_proto_msgTypes[0] + if x != nil { + ms := protoimpl.X.MessageStateOf(protoimpl.Pointer(x)) + if ms.LoadMessageInfo() == nil { + ms.StoreMessageInfo(mi) + } + return ms + } + return mi.MessageOf(x) +} + +// Deprecated: Use Account.ProtoReflect.Descriptor instead. +func (*Account) Descriptor() ([]byte, []int) { + return file_mcias_v1_common_proto_rawDescGZIP(), []int{0} +} + +func (x *Account) GetId() string { + if x != nil { + return x.Id + } + return "" +} + +func (x *Account) GetUsername() string { + if x != nil { + return x.Username + } + return "" +} + +func (x *Account) GetAccountType() string { + if x != nil { + return x.AccountType + } + return "" +} + +func (x *Account) GetStatus() string { + if x != nil { + return x.Status + } + return "" +} + +func (x *Account) GetTotpEnabled() bool { + if x != nil { + return x.TotpEnabled + } + return false +} + +func (x *Account) GetCreatedAt() *timestamppb.Timestamp { + if x != nil { + return x.CreatedAt + } + return nil +} + +func (x *Account) GetUpdatedAt() *timestamppb.Timestamp { + if x != nil { + return x.UpdatedAt + } + return nil +} + +// TokenInfo describes an issued token by its JTI (never the raw value). +type TokenInfo struct { + state protoimpl.MessageState `protogen:"open.v1"` + Jti string `protobuf:"bytes,1,opt,name=jti,proto3" json:"jti,omitempty"` + IssuedAt *timestamppb.Timestamp `protobuf:"bytes,2,opt,name=issued_at,json=issuedAt,proto3" json:"issued_at,omitempty"` + ExpiresAt *timestamppb.Timestamp `protobuf:"bytes,3,opt,name=expires_at,json=expiresAt,proto3" json:"expires_at,omitempty"` + RevokedAt *timestamppb.Timestamp `protobuf:"bytes,4,opt,name=revoked_at,json=revokedAt,proto3" json:"revoked_at,omitempty"` // zero if not revoked + unknownFields protoimpl.UnknownFields + sizeCache protoimpl.SizeCache +} + +func (x *TokenInfo) Reset() { + *x = TokenInfo{} + mi := &file_mcias_v1_common_proto_msgTypes[1] + ms := protoimpl.X.MessageStateOf(protoimpl.Pointer(x)) + ms.StoreMessageInfo(mi) +} + +func (x *TokenInfo) String() string { + return protoimpl.X.MessageStringOf(x) +} + +func (*TokenInfo) ProtoMessage() {} + +func (x *TokenInfo) ProtoReflect() protoreflect.Message { + mi := &file_mcias_v1_common_proto_msgTypes[1] + if x != nil { + ms := protoimpl.X.MessageStateOf(protoimpl.Pointer(x)) + if ms.LoadMessageInfo() == nil { + ms.StoreMessageInfo(mi) + } + return ms + } + return mi.MessageOf(x) +} + +// Deprecated: Use TokenInfo.ProtoReflect.Descriptor instead. +func (*TokenInfo) Descriptor() ([]byte, []int) { + return file_mcias_v1_common_proto_rawDescGZIP(), []int{1} +} + +func (x *TokenInfo) GetJti() string { + if x != nil { + return x.Jti + } + return "" +} + +func (x *TokenInfo) GetIssuedAt() *timestamppb.Timestamp { + if x != nil { + return x.IssuedAt + } + return nil +} + +func (x *TokenInfo) GetExpiresAt() *timestamppb.Timestamp { + if x != nil { + return x.ExpiresAt + } + return nil +} + +func (x *TokenInfo) GetRevokedAt() *timestamppb.Timestamp { + if x != nil { + return x.RevokedAt + } + return nil +} + +// PGCreds holds Postgres connection details. Password is decrypted and +// present only when explicitly requested via GetPGCreds; it is never +// included in list responses. +type PGCreds struct { + state protoimpl.MessageState `protogen:"open.v1"` + Host string `protobuf:"bytes,1,opt,name=host,proto3" json:"host,omitempty"` + Database string `protobuf:"bytes,2,opt,name=database,proto3" json:"database,omitempty"` + Username string `protobuf:"bytes,3,opt,name=username,proto3" json:"username,omitempty"` + Password string `protobuf:"bytes,4,opt,name=password,proto3" json:"password,omitempty"` // security: only populated on explicit get + Port int32 `protobuf:"varint,5,opt,name=port,proto3" json:"port,omitempty"` + unknownFields protoimpl.UnknownFields + sizeCache protoimpl.SizeCache +} + +func (x *PGCreds) Reset() { + *x = PGCreds{} + mi := &file_mcias_v1_common_proto_msgTypes[2] + ms := protoimpl.X.MessageStateOf(protoimpl.Pointer(x)) + ms.StoreMessageInfo(mi) +} + +func (x *PGCreds) String() string { + return protoimpl.X.MessageStringOf(x) +} + +func (*PGCreds) ProtoMessage() {} + +func (x *PGCreds) ProtoReflect() protoreflect.Message { + mi := &file_mcias_v1_common_proto_msgTypes[2] + if x != nil { + ms := protoimpl.X.MessageStateOf(protoimpl.Pointer(x)) + if ms.LoadMessageInfo() == nil { + ms.StoreMessageInfo(mi) + } + return ms + } + return mi.MessageOf(x) +} + +// Deprecated: Use PGCreds.ProtoReflect.Descriptor instead. +func (*PGCreds) Descriptor() ([]byte, []int) { + return file_mcias_v1_common_proto_rawDescGZIP(), []int{2} +} + +func (x *PGCreds) GetHost() string { + if x != nil { + return x.Host + } + return "" +} + +func (x *PGCreds) GetDatabase() string { + if x != nil { + return x.Database + } + return "" +} + +func (x *PGCreds) GetUsername() string { + if x != nil { + return x.Username + } + return "" +} + +func (x *PGCreds) GetPassword() string { + if x != nil { + return x.Password + } + return "" +} + +func (x *PGCreds) GetPort() int32 { + if x != nil { + return x.Port + } + return 0 +} + +// Error is the canonical error detail embedded in gRPC status details. +type Error struct { + state protoimpl.MessageState `protogen:"open.v1"` + Message string `protobuf:"bytes,1,opt,name=message,proto3" json:"message,omitempty"` + Code string `protobuf:"bytes,2,opt,name=code,proto3" json:"code,omitempty"` + unknownFields protoimpl.UnknownFields + sizeCache protoimpl.SizeCache +} + +func (x *Error) Reset() { + *x = Error{} + mi := &file_mcias_v1_common_proto_msgTypes[3] + ms := protoimpl.X.MessageStateOf(protoimpl.Pointer(x)) + ms.StoreMessageInfo(mi) +} + +func (x *Error) String() string { + return protoimpl.X.MessageStringOf(x) +} + +func (*Error) ProtoMessage() {} + +func (x *Error) ProtoReflect() protoreflect.Message { + mi := &file_mcias_v1_common_proto_msgTypes[3] + if x != nil { + ms := protoimpl.X.MessageStateOf(protoimpl.Pointer(x)) + if ms.LoadMessageInfo() == nil { + ms.StoreMessageInfo(mi) + } + return ms + } + return mi.MessageOf(x) +} + +// Deprecated: Use Error.ProtoReflect.Descriptor instead. +func (*Error) Descriptor() ([]byte, []int) { + return file_mcias_v1_common_proto_rawDescGZIP(), []int{3} +} + +func (x *Error) GetMessage() string { + if x != nil { + return x.Message + } + return "" +} + +func (x *Error) GetCode() string { + if x != nil { + return x.Code + } + return "" +} + +var File_mcias_v1_common_proto protoreflect.FileDescriptor + +const file_mcias_v1_common_proto_rawDesc = "" + + "\n" + + "\x15mcias/v1/common.proto\x12\bmcias.v1\x1a\x1fgoogle/protobuf/timestamp.proto\"\x89\x02\n" + + "\aAccount\x12\x0e\n" + + "\x02id\x18\x01 \x01(\tR\x02id\x12\x1a\n" + + "\busername\x18\x02 \x01(\tR\busername\x12!\n" + + "\faccount_type\x18\x03 \x01(\tR\vaccountType\x12\x16\n" + + "\x06status\x18\x04 \x01(\tR\x06status\x12!\n" + + "\ftotp_enabled\x18\x05 \x01(\bR\vtotpEnabled\x129\n" + + "\n" + + "created_at\x18\x06 \x01(\v2\x1a.google.protobuf.TimestampR\tcreatedAt\x129\n" + + "\n" + + "updated_at\x18\a \x01(\v2\x1a.google.protobuf.TimestampR\tupdatedAt\"\xcc\x01\n" + + "\tTokenInfo\x12\x10\n" + + "\x03jti\x18\x01 \x01(\tR\x03jti\x127\n" + + "\tissued_at\x18\x02 \x01(\v2\x1a.google.protobuf.TimestampR\bissuedAt\x129\n" + + "\n" + + "expires_at\x18\x03 \x01(\v2\x1a.google.protobuf.TimestampR\texpiresAt\x129\n" + + "\n" + + "revoked_at\x18\x04 \x01(\v2\x1a.google.protobuf.TimestampR\trevokedAt\"\x85\x01\n" + + "\aPGCreds\x12\x12\n" + + "\x04host\x18\x01 \x01(\tR\x04host\x12\x1a\n" + + "\bdatabase\x18\x02 \x01(\tR\bdatabase\x12\x1a\n" + + "\busername\x18\x03 \x01(\tR\busername\x12\x1a\n" + + "\bpassword\x18\x04 \x01(\tR\bpassword\x12\x12\n" + + "\x04port\x18\x05 \x01(\x05R\x04port\"5\n" + + "\x05Error\x12\x18\n" + + "\amessage\x18\x01 \x01(\tR\amessage\x12\x12\n" + + "\x04code\x18\x02 \x01(\tR\x04codeB2Z0git.wntrmute.dev/kyle/mcias/gen/mcias/v1;mciasv1b\x06proto3" + +var ( + file_mcias_v1_common_proto_rawDescOnce sync.Once + file_mcias_v1_common_proto_rawDescData []byte +) + +func file_mcias_v1_common_proto_rawDescGZIP() []byte { + file_mcias_v1_common_proto_rawDescOnce.Do(func() { + file_mcias_v1_common_proto_rawDescData = protoimpl.X.CompressGZIP(unsafe.Slice(unsafe.StringData(file_mcias_v1_common_proto_rawDesc), len(file_mcias_v1_common_proto_rawDesc))) + }) + return file_mcias_v1_common_proto_rawDescData +} + +var file_mcias_v1_common_proto_msgTypes = make([]protoimpl.MessageInfo, 4) +var file_mcias_v1_common_proto_goTypes = []any{ + (*Account)(nil), // 0: mcias.v1.Account + (*TokenInfo)(nil), // 1: mcias.v1.TokenInfo + (*PGCreds)(nil), // 2: mcias.v1.PGCreds + (*Error)(nil), // 3: mcias.v1.Error + (*timestamppb.Timestamp)(nil), // 4: google.protobuf.Timestamp +} +var file_mcias_v1_common_proto_depIdxs = []int32{ + 4, // 0: mcias.v1.Account.created_at:type_name -> google.protobuf.Timestamp + 4, // 1: mcias.v1.Account.updated_at:type_name -> google.protobuf.Timestamp + 4, // 2: mcias.v1.TokenInfo.issued_at:type_name -> google.protobuf.Timestamp + 4, // 3: mcias.v1.TokenInfo.expires_at:type_name -> google.protobuf.Timestamp + 4, // 4: mcias.v1.TokenInfo.revoked_at:type_name -> google.protobuf.Timestamp + 5, // [5:5] is the sub-list for method output_type + 5, // [5:5] is the sub-list for method input_type + 5, // [5:5] is the sub-list for extension type_name + 5, // [5:5] is the sub-list for extension extendee + 0, // [0:5] is the sub-list for field type_name +} + +func init() { file_mcias_v1_common_proto_init() } +func file_mcias_v1_common_proto_init() { + if File_mcias_v1_common_proto != nil { + return + } + type x struct{} + out := protoimpl.TypeBuilder{ + File: protoimpl.DescBuilder{ + GoPackagePath: reflect.TypeOf(x{}).PkgPath(), + RawDescriptor: unsafe.Slice(unsafe.StringData(file_mcias_v1_common_proto_rawDesc), len(file_mcias_v1_common_proto_rawDesc)), + NumEnums: 0, + NumMessages: 4, + NumExtensions: 0, + NumServices: 0, + }, + GoTypes: file_mcias_v1_common_proto_goTypes, + DependencyIndexes: file_mcias_v1_common_proto_depIdxs, + MessageInfos: file_mcias_v1_common_proto_msgTypes, + }.Build() + File_mcias_v1_common_proto = out.File + file_mcias_v1_common_proto_goTypes = nil + file_mcias_v1_common_proto_depIdxs = nil +} diff --git a/gen/mcias/v1/token.pb.go b/gen/mcias/v1/token.pb.go new file mode 100644 index 0000000..4fee42e --- /dev/null +++ b/gen/mcias/v1/token.pb.go @@ -0,0 +1,411 @@ +// TokenService: token validation, service-token issuance, and revocation. + +// Code generated by protoc-gen-go. DO NOT EDIT. +// versions: +// protoc-gen-go v1.36.11 +// protoc v6.33.4 +// source: mcias/v1/token.proto + +package mciasv1 + +import ( + protoreflect "google.golang.org/protobuf/reflect/protoreflect" + protoimpl "google.golang.org/protobuf/runtime/protoimpl" + timestamppb "google.golang.org/protobuf/types/known/timestamppb" + reflect "reflect" + sync "sync" + unsafe "unsafe" +) + +const ( + // Verify that this generated code is sufficiently up-to-date. + _ = protoimpl.EnforceVersion(20 - protoimpl.MinVersion) + // Verify that runtime/protoimpl is sufficiently up-to-date. + _ = protoimpl.EnforceVersion(protoimpl.MaxVersion - 20) +) + +// ValidateTokenRequest carries the token to validate. +// The token may also be supplied via the Authorization metadata key; +// this field is an alternative for callers that cannot set metadata. +type ValidateTokenRequest struct { + state protoimpl.MessageState `protogen:"open.v1"` + Token string `protobuf:"bytes,1,opt,name=token,proto3" json:"token,omitempty"` + unknownFields protoimpl.UnknownFields + sizeCache protoimpl.SizeCache +} + +func (x *ValidateTokenRequest) Reset() { + *x = ValidateTokenRequest{} + mi := &file_mcias_v1_token_proto_msgTypes[0] + ms := protoimpl.X.MessageStateOf(protoimpl.Pointer(x)) + ms.StoreMessageInfo(mi) +} + +func (x *ValidateTokenRequest) String() string { + return protoimpl.X.MessageStringOf(x) +} + +func (*ValidateTokenRequest) ProtoMessage() {} + +func (x *ValidateTokenRequest) ProtoReflect() protoreflect.Message { + mi := &file_mcias_v1_token_proto_msgTypes[0] + if x != nil { + ms := protoimpl.X.MessageStateOf(protoimpl.Pointer(x)) + if ms.LoadMessageInfo() == nil { + ms.StoreMessageInfo(mi) + } + return ms + } + return mi.MessageOf(x) +} + +// Deprecated: Use ValidateTokenRequest.ProtoReflect.Descriptor instead. +func (*ValidateTokenRequest) Descriptor() ([]byte, []int) { + return file_mcias_v1_token_proto_rawDescGZIP(), []int{0} +} + +func (x *ValidateTokenRequest) GetToken() string { + if x != nil { + return x.Token + } + return "" +} + +// ValidateTokenResponse reports validity and, on success, the claims. +type ValidateTokenResponse struct { + state protoimpl.MessageState `protogen:"open.v1"` + Valid bool `protobuf:"varint,1,opt,name=valid,proto3" json:"valid,omitempty"` + Subject string `protobuf:"bytes,2,opt,name=subject,proto3" json:"subject,omitempty"` // UUID of the account; empty if invalid + Roles []string `protobuf:"bytes,3,rep,name=roles,proto3" json:"roles,omitempty"` + ExpiresAt *timestamppb.Timestamp `protobuf:"bytes,4,opt,name=expires_at,json=expiresAt,proto3" json:"expires_at,omitempty"` + unknownFields protoimpl.UnknownFields + sizeCache protoimpl.SizeCache +} + +func (x *ValidateTokenResponse) Reset() { + *x = ValidateTokenResponse{} + mi := &file_mcias_v1_token_proto_msgTypes[1] + ms := protoimpl.X.MessageStateOf(protoimpl.Pointer(x)) + ms.StoreMessageInfo(mi) +} + +func (x *ValidateTokenResponse) String() string { + return protoimpl.X.MessageStringOf(x) +} + +func (*ValidateTokenResponse) ProtoMessage() {} + +func (x *ValidateTokenResponse) ProtoReflect() protoreflect.Message { + mi := &file_mcias_v1_token_proto_msgTypes[1] + if x != nil { + ms := protoimpl.X.MessageStateOf(protoimpl.Pointer(x)) + if ms.LoadMessageInfo() == nil { + ms.StoreMessageInfo(mi) + } + return ms + } + return mi.MessageOf(x) +} + +// Deprecated: Use ValidateTokenResponse.ProtoReflect.Descriptor instead. +func (*ValidateTokenResponse) Descriptor() ([]byte, []int) { + return file_mcias_v1_token_proto_rawDescGZIP(), []int{1} +} + +func (x *ValidateTokenResponse) GetValid() bool { + if x != nil { + return x.Valid + } + return false +} + +func (x *ValidateTokenResponse) GetSubject() string { + if x != nil { + return x.Subject + } + return "" +} + +func (x *ValidateTokenResponse) GetRoles() []string { + if x != nil { + return x.Roles + } + return nil +} + +func (x *ValidateTokenResponse) GetExpiresAt() *timestamppb.Timestamp { + if x != nil { + return x.ExpiresAt + } + return nil +} + +// IssueServiceTokenRequest specifies the system account to issue a token for. +type IssueServiceTokenRequest struct { + state protoimpl.MessageState `protogen:"open.v1"` + AccountId string `protobuf:"bytes,1,opt,name=account_id,json=accountId,proto3" json:"account_id,omitempty"` // UUID of the system account + unknownFields protoimpl.UnknownFields + sizeCache protoimpl.SizeCache +} + +func (x *IssueServiceTokenRequest) Reset() { + *x = IssueServiceTokenRequest{} + mi := &file_mcias_v1_token_proto_msgTypes[2] + ms := protoimpl.X.MessageStateOf(protoimpl.Pointer(x)) + ms.StoreMessageInfo(mi) +} + +func (x *IssueServiceTokenRequest) String() string { + return protoimpl.X.MessageStringOf(x) +} + +func (*IssueServiceTokenRequest) ProtoMessage() {} + +func (x *IssueServiceTokenRequest) ProtoReflect() protoreflect.Message { + mi := &file_mcias_v1_token_proto_msgTypes[2] + if x != nil { + ms := protoimpl.X.MessageStateOf(protoimpl.Pointer(x)) + if ms.LoadMessageInfo() == nil { + ms.StoreMessageInfo(mi) + } + return ms + } + return mi.MessageOf(x) +} + +// Deprecated: Use IssueServiceTokenRequest.ProtoReflect.Descriptor instead. +func (*IssueServiceTokenRequest) Descriptor() ([]byte, []int) { + return file_mcias_v1_token_proto_rawDescGZIP(), []int{2} +} + +func (x *IssueServiceTokenRequest) GetAccountId() string { + if x != nil { + return x.AccountId + } + return "" +} + +// IssueServiceTokenResponse returns the new token and its expiry. +type IssueServiceTokenResponse struct { + state protoimpl.MessageState `protogen:"open.v1"` + Token string `protobuf:"bytes,1,opt,name=token,proto3" json:"token,omitempty"` + ExpiresAt *timestamppb.Timestamp `protobuf:"bytes,2,opt,name=expires_at,json=expiresAt,proto3" json:"expires_at,omitempty"` + unknownFields protoimpl.UnknownFields + sizeCache protoimpl.SizeCache +} + +func (x *IssueServiceTokenResponse) Reset() { + *x = IssueServiceTokenResponse{} + mi := &file_mcias_v1_token_proto_msgTypes[3] + ms := protoimpl.X.MessageStateOf(protoimpl.Pointer(x)) + ms.StoreMessageInfo(mi) +} + +func (x *IssueServiceTokenResponse) String() string { + return protoimpl.X.MessageStringOf(x) +} + +func (*IssueServiceTokenResponse) ProtoMessage() {} + +func (x *IssueServiceTokenResponse) ProtoReflect() protoreflect.Message { + mi := &file_mcias_v1_token_proto_msgTypes[3] + if x != nil { + ms := protoimpl.X.MessageStateOf(protoimpl.Pointer(x)) + if ms.LoadMessageInfo() == nil { + ms.StoreMessageInfo(mi) + } + return ms + } + return mi.MessageOf(x) +} + +// Deprecated: Use IssueServiceTokenResponse.ProtoReflect.Descriptor instead. +func (*IssueServiceTokenResponse) Descriptor() ([]byte, []int) { + return file_mcias_v1_token_proto_rawDescGZIP(), []int{3} +} + +func (x *IssueServiceTokenResponse) GetToken() string { + if x != nil { + return x.Token + } + return "" +} + +func (x *IssueServiceTokenResponse) GetExpiresAt() *timestamppb.Timestamp { + if x != nil { + return x.ExpiresAt + } + return nil +} + +// RevokeTokenRequest specifies the JTI to revoke. +type RevokeTokenRequest struct { + state protoimpl.MessageState `protogen:"open.v1"` + Jti string `protobuf:"bytes,1,opt,name=jti,proto3" json:"jti,omitempty"` + unknownFields protoimpl.UnknownFields + sizeCache protoimpl.SizeCache +} + +func (x *RevokeTokenRequest) Reset() { + *x = RevokeTokenRequest{} + mi := &file_mcias_v1_token_proto_msgTypes[4] + ms := protoimpl.X.MessageStateOf(protoimpl.Pointer(x)) + ms.StoreMessageInfo(mi) +} + +func (x *RevokeTokenRequest) String() string { + return protoimpl.X.MessageStringOf(x) +} + +func (*RevokeTokenRequest) ProtoMessage() {} + +func (x *RevokeTokenRequest) ProtoReflect() protoreflect.Message { + mi := &file_mcias_v1_token_proto_msgTypes[4] + if x != nil { + ms := protoimpl.X.MessageStateOf(protoimpl.Pointer(x)) + if ms.LoadMessageInfo() == nil { + ms.StoreMessageInfo(mi) + } + return ms + } + return mi.MessageOf(x) +} + +// Deprecated: Use RevokeTokenRequest.ProtoReflect.Descriptor instead. +func (*RevokeTokenRequest) Descriptor() ([]byte, []int) { + return file_mcias_v1_token_proto_rawDescGZIP(), []int{4} +} + +func (x *RevokeTokenRequest) GetJti() string { + if x != nil { + return x.Jti + } + return "" +} + +// RevokeTokenResponse confirms revocation. +type RevokeTokenResponse struct { + state protoimpl.MessageState `protogen:"open.v1"` + unknownFields protoimpl.UnknownFields + sizeCache protoimpl.SizeCache +} + +func (x *RevokeTokenResponse) Reset() { + *x = RevokeTokenResponse{} + mi := &file_mcias_v1_token_proto_msgTypes[5] + ms := protoimpl.X.MessageStateOf(protoimpl.Pointer(x)) + ms.StoreMessageInfo(mi) +} + +func (x *RevokeTokenResponse) String() string { + return protoimpl.X.MessageStringOf(x) +} + +func (*RevokeTokenResponse) ProtoMessage() {} + +func (x *RevokeTokenResponse) ProtoReflect() protoreflect.Message { + mi := &file_mcias_v1_token_proto_msgTypes[5] + if x != nil { + ms := protoimpl.X.MessageStateOf(protoimpl.Pointer(x)) + if ms.LoadMessageInfo() == nil { + ms.StoreMessageInfo(mi) + } + return ms + } + return mi.MessageOf(x) +} + +// Deprecated: Use RevokeTokenResponse.ProtoReflect.Descriptor instead. +func (*RevokeTokenResponse) Descriptor() ([]byte, []int) { + return file_mcias_v1_token_proto_rawDescGZIP(), []int{5} +} + +var File_mcias_v1_token_proto protoreflect.FileDescriptor + +const file_mcias_v1_token_proto_rawDesc = "" + + "\n" + + "\x14mcias/v1/token.proto\x12\bmcias.v1\x1a\x1fgoogle/protobuf/timestamp.proto\",\n" + + "\x14ValidateTokenRequest\x12\x14\n" + + "\x05token\x18\x01 \x01(\tR\x05token\"\x98\x01\n" + + "\x15ValidateTokenResponse\x12\x14\n" + + "\x05valid\x18\x01 \x01(\bR\x05valid\x12\x18\n" + + "\asubject\x18\x02 \x01(\tR\asubject\x12\x14\n" + + "\x05roles\x18\x03 \x03(\tR\x05roles\x129\n" + + "\n" + + "expires_at\x18\x04 \x01(\v2\x1a.google.protobuf.TimestampR\texpiresAt\"9\n" + + "\x18IssueServiceTokenRequest\x12\x1d\n" + + "\n" + + "account_id\x18\x01 \x01(\tR\taccountId\"l\n" + + "\x19IssueServiceTokenResponse\x12\x14\n" + + "\x05token\x18\x01 \x01(\tR\x05token\x129\n" + + "\n" + + "expires_at\x18\x02 \x01(\v2\x1a.google.protobuf.TimestampR\texpiresAt\"&\n" + + "\x12RevokeTokenRequest\x12\x10\n" + + "\x03jti\x18\x01 \x01(\tR\x03jti\"\x15\n" + + "\x13RevokeTokenResponse2\x8a\x02\n" + + "\fTokenService\x12P\n" + + "\rValidateToken\x12\x1e.mcias.v1.ValidateTokenRequest\x1a\x1f.mcias.v1.ValidateTokenResponse\x12\\\n" + + "\x11IssueServiceToken\x12\".mcias.v1.IssueServiceTokenRequest\x1a#.mcias.v1.IssueServiceTokenResponse\x12J\n" + + "\vRevokeToken\x12\x1c.mcias.v1.RevokeTokenRequest\x1a\x1d.mcias.v1.RevokeTokenResponseB2Z0git.wntrmute.dev/kyle/mcias/gen/mcias/v1;mciasv1b\x06proto3" + +var ( + file_mcias_v1_token_proto_rawDescOnce sync.Once + file_mcias_v1_token_proto_rawDescData []byte +) + +func file_mcias_v1_token_proto_rawDescGZIP() []byte { + file_mcias_v1_token_proto_rawDescOnce.Do(func() { + file_mcias_v1_token_proto_rawDescData = protoimpl.X.CompressGZIP(unsafe.Slice(unsafe.StringData(file_mcias_v1_token_proto_rawDesc), len(file_mcias_v1_token_proto_rawDesc))) + }) + return file_mcias_v1_token_proto_rawDescData +} + +var file_mcias_v1_token_proto_msgTypes = make([]protoimpl.MessageInfo, 6) +var file_mcias_v1_token_proto_goTypes = []any{ + (*ValidateTokenRequest)(nil), // 0: mcias.v1.ValidateTokenRequest + (*ValidateTokenResponse)(nil), // 1: mcias.v1.ValidateTokenResponse + (*IssueServiceTokenRequest)(nil), // 2: mcias.v1.IssueServiceTokenRequest + (*IssueServiceTokenResponse)(nil), // 3: mcias.v1.IssueServiceTokenResponse + (*RevokeTokenRequest)(nil), // 4: mcias.v1.RevokeTokenRequest + (*RevokeTokenResponse)(nil), // 5: mcias.v1.RevokeTokenResponse + (*timestamppb.Timestamp)(nil), // 6: google.protobuf.Timestamp +} +var file_mcias_v1_token_proto_depIdxs = []int32{ + 6, // 0: mcias.v1.ValidateTokenResponse.expires_at:type_name -> google.protobuf.Timestamp + 6, // 1: mcias.v1.IssueServiceTokenResponse.expires_at:type_name -> google.protobuf.Timestamp + 0, // 2: mcias.v1.TokenService.ValidateToken:input_type -> mcias.v1.ValidateTokenRequest + 2, // 3: mcias.v1.TokenService.IssueServiceToken:input_type -> mcias.v1.IssueServiceTokenRequest + 4, // 4: mcias.v1.TokenService.RevokeToken:input_type -> mcias.v1.RevokeTokenRequest + 1, // 5: mcias.v1.TokenService.ValidateToken:output_type -> mcias.v1.ValidateTokenResponse + 3, // 6: mcias.v1.TokenService.IssueServiceToken:output_type -> mcias.v1.IssueServiceTokenResponse + 5, // 7: mcias.v1.TokenService.RevokeToken:output_type -> mcias.v1.RevokeTokenResponse + 5, // [5:8] is the sub-list for method output_type + 2, // [2:5] is the sub-list for method input_type + 2, // [2:2] is the sub-list for extension type_name + 2, // [2:2] is the sub-list for extension extendee + 0, // [0:2] is the sub-list for field type_name +} + +func init() { file_mcias_v1_token_proto_init() } +func file_mcias_v1_token_proto_init() { + if File_mcias_v1_token_proto != nil { + return + } + type x struct{} + out := protoimpl.TypeBuilder{ + File: protoimpl.DescBuilder{ + GoPackagePath: reflect.TypeOf(x{}).PkgPath(), + RawDescriptor: unsafe.Slice(unsafe.StringData(file_mcias_v1_token_proto_rawDesc), len(file_mcias_v1_token_proto_rawDesc)), + NumEnums: 0, + NumMessages: 6, + NumExtensions: 0, + NumServices: 1, + }, + GoTypes: file_mcias_v1_token_proto_goTypes, + DependencyIndexes: file_mcias_v1_token_proto_depIdxs, + MessageInfos: file_mcias_v1_token_proto_msgTypes, + }.Build() + File_mcias_v1_token_proto = out.File + file_mcias_v1_token_proto_goTypes = nil + file_mcias_v1_token_proto_depIdxs = nil +} diff --git a/gen/mcias/v1/token_grpc.pb.go b/gen/mcias/v1/token_grpc.pb.go new file mode 100644 index 0000000..a292b48 --- /dev/null +++ b/gen/mcias/v1/token_grpc.pb.go @@ -0,0 +1,215 @@ +// TokenService: token validation, service-token issuance, and revocation. + +// Code generated by protoc-gen-go-grpc. DO NOT EDIT. +// versions: +// - protoc-gen-go-grpc v1.6.1 +// - protoc v6.33.4 +// source: mcias/v1/token.proto + +package mciasv1 + +import ( + context "context" + grpc "google.golang.org/grpc" + codes "google.golang.org/grpc/codes" + status "google.golang.org/grpc/status" +) + +// This is a compile-time assertion to ensure that this generated file +// is compatible with the grpc package it is being compiled against. +// Requires gRPC-Go v1.64.0 or later. +const _ = grpc.SupportPackageIsVersion9 + +const ( + TokenService_ValidateToken_FullMethodName = "/mcias.v1.TokenService/ValidateToken" + TokenService_IssueServiceToken_FullMethodName = "/mcias.v1.TokenService/IssueServiceToken" + TokenService_RevokeToken_FullMethodName = "/mcias.v1.TokenService/RevokeToken" +) + +// TokenServiceClient is the client API for TokenService service. +// +// For semantics around ctx use and closing/ending streaming RPCs, please refer to https://pkg.go.dev/google.golang.org/grpc/?tab=doc#ClientConn.NewStream. +// +// TokenService manages token lifecycle. +type TokenServiceClient interface { + // ValidateToken checks whether a JWT is valid and returns its claims. + // Public RPC — no auth required. + ValidateToken(ctx context.Context, in *ValidateTokenRequest, opts ...grpc.CallOption) (*ValidateTokenResponse, error) + // IssueServiceToken issues a new service token for a system account. + // Requires: admin JWT in metadata. + IssueServiceToken(ctx context.Context, in *IssueServiceTokenRequest, opts ...grpc.CallOption) (*IssueServiceTokenResponse, error) + // RevokeToken revokes a token by JTI. + // Requires: admin JWT in metadata. + RevokeToken(ctx context.Context, in *RevokeTokenRequest, opts ...grpc.CallOption) (*RevokeTokenResponse, error) +} + +type tokenServiceClient struct { + cc grpc.ClientConnInterface +} + +func NewTokenServiceClient(cc grpc.ClientConnInterface) TokenServiceClient { + return &tokenServiceClient{cc} +} + +func (c *tokenServiceClient) ValidateToken(ctx context.Context, in *ValidateTokenRequest, opts ...grpc.CallOption) (*ValidateTokenResponse, error) { + cOpts := append([]grpc.CallOption{grpc.StaticMethod()}, opts...) + out := new(ValidateTokenResponse) + err := c.cc.Invoke(ctx, TokenService_ValidateToken_FullMethodName, in, out, cOpts...) + if err != nil { + return nil, err + } + return out, nil +} + +func (c *tokenServiceClient) IssueServiceToken(ctx context.Context, in *IssueServiceTokenRequest, opts ...grpc.CallOption) (*IssueServiceTokenResponse, error) { + cOpts := append([]grpc.CallOption{grpc.StaticMethod()}, opts...) + out := new(IssueServiceTokenResponse) + err := c.cc.Invoke(ctx, TokenService_IssueServiceToken_FullMethodName, in, out, cOpts...) + if err != nil { + return nil, err + } + return out, nil +} + +func (c *tokenServiceClient) RevokeToken(ctx context.Context, in *RevokeTokenRequest, opts ...grpc.CallOption) (*RevokeTokenResponse, error) { + cOpts := append([]grpc.CallOption{grpc.StaticMethod()}, opts...) + out := new(RevokeTokenResponse) + err := c.cc.Invoke(ctx, TokenService_RevokeToken_FullMethodName, in, out, cOpts...) + if err != nil { + return nil, err + } + return out, nil +} + +// TokenServiceServer is the server API for TokenService service. +// All implementations must embed UnimplementedTokenServiceServer +// for forward compatibility. +// +// TokenService manages token lifecycle. +type TokenServiceServer interface { + // ValidateToken checks whether a JWT is valid and returns its claims. + // Public RPC — no auth required. + ValidateToken(context.Context, *ValidateTokenRequest) (*ValidateTokenResponse, error) + // IssueServiceToken issues a new service token for a system account. + // Requires: admin JWT in metadata. + IssueServiceToken(context.Context, *IssueServiceTokenRequest) (*IssueServiceTokenResponse, error) + // RevokeToken revokes a token by JTI. + // Requires: admin JWT in metadata. + RevokeToken(context.Context, *RevokeTokenRequest) (*RevokeTokenResponse, error) + mustEmbedUnimplementedTokenServiceServer() +} + +// UnimplementedTokenServiceServer must be embedded to have +// forward compatible implementations. +// +// NOTE: this should be embedded by value instead of pointer to avoid a nil +// pointer dereference when methods are called. +type UnimplementedTokenServiceServer struct{} + +func (UnimplementedTokenServiceServer) ValidateToken(context.Context, *ValidateTokenRequest) (*ValidateTokenResponse, error) { + return nil, status.Error(codes.Unimplemented, "method ValidateToken not implemented") +} +func (UnimplementedTokenServiceServer) IssueServiceToken(context.Context, *IssueServiceTokenRequest) (*IssueServiceTokenResponse, error) { + return nil, status.Error(codes.Unimplemented, "method IssueServiceToken not implemented") +} +func (UnimplementedTokenServiceServer) RevokeToken(context.Context, *RevokeTokenRequest) (*RevokeTokenResponse, error) { + return nil, status.Error(codes.Unimplemented, "method RevokeToken not implemented") +} +func (UnimplementedTokenServiceServer) mustEmbedUnimplementedTokenServiceServer() {} +func (UnimplementedTokenServiceServer) testEmbeddedByValue() {} + +// UnsafeTokenServiceServer may be embedded to opt out of forward compatibility for this service. +// Use of this interface is not recommended, as added methods to TokenServiceServer will +// result in compilation errors. +type UnsafeTokenServiceServer interface { + mustEmbedUnimplementedTokenServiceServer() +} + +func RegisterTokenServiceServer(s grpc.ServiceRegistrar, srv TokenServiceServer) { + // If the following call panics, it indicates UnimplementedTokenServiceServer was + // embedded by pointer and is nil. This will cause panics if an + // unimplemented method is ever invoked, so we test this at initialization + // time to prevent it from happening at runtime later due to I/O. + if t, ok := srv.(interface{ testEmbeddedByValue() }); ok { + t.testEmbeddedByValue() + } + s.RegisterService(&TokenService_ServiceDesc, srv) +} + +func _TokenService_ValidateToken_Handler(srv interface{}, ctx context.Context, dec func(interface{}) error, interceptor grpc.UnaryServerInterceptor) (interface{}, error) { + in := new(ValidateTokenRequest) + if err := dec(in); err != nil { + return nil, err + } + if interceptor == nil { + return srv.(TokenServiceServer).ValidateToken(ctx, in) + } + info := &grpc.UnaryServerInfo{ + Server: srv, + FullMethod: TokenService_ValidateToken_FullMethodName, + } + handler := func(ctx context.Context, req interface{}) (interface{}, error) { + return srv.(TokenServiceServer).ValidateToken(ctx, req.(*ValidateTokenRequest)) + } + return interceptor(ctx, in, info, handler) +} + +func _TokenService_IssueServiceToken_Handler(srv interface{}, ctx context.Context, dec func(interface{}) error, interceptor grpc.UnaryServerInterceptor) (interface{}, error) { + in := new(IssueServiceTokenRequest) + if err := dec(in); err != nil { + return nil, err + } + if interceptor == nil { + return srv.(TokenServiceServer).IssueServiceToken(ctx, in) + } + info := &grpc.UnaryServerInfo{ + Server: srv, + FullMethod: TokenService_IssueServiceToken_FullMethodName, + } + handler := func(ctx context.Context, req interface{}) (interface{}, error) { + return srv.(TokenServiceServer).IssueServiceToken(ctx, req.(*IssueServiceTokenRequest)) + } + return interceptor(ctx, in, info, handler) +} + +func _TokenService_RevokeToken_Handler(srv interface{}, ctx context.Context, dec func(interface{}) error, interceptor grpc.UnaryServerInterceptor) (interface{}, error) { + in := new(RevokeTokenRequest) + if err := dec(in); err != nil { + return nil, err + } + if interceptor == nil { + return srv.(TokenServiceServer).RevokeToken(ctx, in) + } + info := &grpc.UnaryServerInfo{ + Server: srv, + FullMethod: TokenService_RevokeToken_FullMethodName, + } + handler := func(ctx context.Context, req interface{}) (interface{}, error) { + return srv.(TokenServiceServer).RevokeToken(ctx, req.(*RevokeTokenRequest)) + } + return interceptor(ctx, in, info, handler) +} + +// TokenService_ServiceDesc is the grpc.ServiceDesc for TokenService service. +// It's only intended for direct use with grpc.RegisterService, +// and not to be introspected or modified (even as a copy) +var TokenService_ServiceDesc = grpc.ServiceDesc{ + ServiceName: "mcias.v1.TokenService", + HandlerType: (*TokenServiceServer)(nil), + Methods: []grpc.MethodDesc{ + { + MethodName: "ValidateToken", + Handler: _TokenService_ValidateToken_Handler, + }, + { + MethodName: "IssueServiceToken", + Handler: _TokenService_IssueServiceToken_Handler, + }, + { + MethodName: "RevokeToken", + Handler: _TokenService_RevokeToken_Handler, + }, + }, + Streams: []grpc.StreamDesc{}, + Metadata: "mcias/v1/token.proto", +} diff --git a/go.mod b/go.mod index 11f3b7b..a27a5e4 100644 --- a/go.mod +++ b/go.mod @@ -17,7 +17,12 @@ require ( github.com/ncruces/go-strftime v1.0.0 // indirect github.com/remyoudompheng/bigfft v0.0.0-20230129092748-24d4a6f8daec // indirect golang.org/x/exp v0.0.0-20251023183803-a4bb9ffd2546 // indirect + golang.org/x/net v0.29.0 // indirect golang.org/x/sys v0.41.0 // indirect + golang.org/x/text v0.22.0 // indirect + google.golang.org/genproto/googleapis/rpc v0.0.0-20240903143218-8af14fe29dc1 // indirect + google.golang.org/grpc v1.68.0 // indirect + google.golang.org/protobuf v1.36.0 // indirect modernc.org/libc v1.67.6 // indirect modernc.org/mathutil v1.7.1 // indirect modernc.org/memory v1.11.0 // indirect diff --git a/go.sum b/go.sum index 34414aa..9d898cb 100644 --- a/go.sum +++ b/go.sum @@ -22,6 +22,8 @@ golang.org/x/exp v0.0.0-20251023183803-a4bb9ffd2546 h1:mgKeJMpvi0yx/sU5GsxQ7p6s2 golang.org/x/exp v0.0.0-20251023183803-a4bb9ffd2546/go.mod h1:j/pmGrbnkbPtQfxEe5D0VQhZC6qKbfKifgD0oM7sR70= golang.org/x/mod v0.29.0 h1:HV8lRxZC4l2cr3Zq1LvtOsi/ThTgWnUk/y64QSs8GwA= golang.org/x/mod v0.29.0/go.mod h1:NyhrlYXJ2H4eJiRy/WDBO6HMqZQ6q9nk4JzS3NuCK+w= +golang.org/x/net v0.29.0 h1:5ORfpBpCs4HzDYoodCDBbwHzdR5UrLBZ3sOnUJmFoHo= +golang.org/x/net v0.29.0/go.mod h1:gLkgy8jTGERgjzMic6DS9+SP0ajcu6Xu3Orq/SpETg0= golang.org/x/sync v0.17.0 h1:l60nONMj9l5drqw6jlhIELNv9I0A4OFgRsG9k2oT9Ug= golang.org/x/sync v0.17.0/go.mod h1:9KTHXmSnoGruLpwFjVSX0lNNA75CykiMECbovNTZqGI= golang.org/x/sys v0.6.0/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg= @@ -29,8 +31,16 @@ golang.org/x/sys v0.41.0 h1:Ivj+2Cp/ylzLiEU89QhWblYnOE9zerudt9Ftecq2C6k= golang.org/x/sys v0.41.0/go.mod h1:OgkHotnGiDImocRcuBABYBEXf8A9a87e/uXjp9XT3ks= golang.org/x/term v0.29.0 h1:L6pJp37ocefwRRtYPKSWOWzOtWSxVajvz2ldH/xi3iU= golang.org/x/term v0.29.0/go.mod h1:6bl4lRlvVuDgSf3179VpIxBF0o10JUpXWOnI7nErv7s= +golang.org/x/text v0.22.0 h1:bofq7m3/HAFvbF51jz3Q9wLg3jkvSPuiZu/pD1XwgtM= +golang.org/x/text v0.22.0/go.mod h1:YRoo4H8PVmsu+E3Ou7cqLVH8oXWIHVoX0jqUWALQhfY= golang.org/x/tools v0.38.0 h1:Hx2Xv8hISq8Lm16jvBZ2VQf+RLmbd7wVUsALibYI/IQ= golang.org/x/tools v0.38.0/go.mod h1:yEsQ/d/YK8cjh0L6rZlY8tgtlKiBNTL14pGDJPJpYQs= +google.golang.org/genproto/googleapis/rpc v0.0.0-20240903143218-8af14fe29dc1 h1:pPJltXNxVzT4pK9yD8vR9X75DaWYYmLGMsEvBfFQZzQ= +google.golang.org/genproto/googleapis/rpc v0.0.0-20240903143218-8af14fe29dc1/go.mod h1:UqMtugtsSgubUsoxbuAoiCXvqvErP7Gf0so0mK9tHxU= +google.golang.org/grpc v1.68.0 h1:aHQeeJbo8zAkAa3pRzrVjZlbz6uSfeOXlJNQM0RAbz0= +google.golang.org/grpc v1.68.0/go.mod h1:fmSPC5AsjSBCK54MyHRx48kpOti1/jRfOlwEWywNjWA= +google.golang.org/protobuf v1.36.0 h1:mjIs9gYtt56AzC4ZaffQuh88TZurBGhIJMBZGSxNerQ= +google.golang.org/protobuf v1.36.0/go.mod h1:9fA7Ob0pmnwhb644+1+CVWFRbNajQ6iRojtC/QF5bRE= modernc.org/cc/v4 v4.27.1 h1:9W30zRlYrefrDV2JE2O8VDtJ1yPGownxciz5rrbQZis= modernc.org/cc/v4 v4.27.1/go.mod h1:uVtb5OGqUKpoLWhqwNQo/8LwvoiEBLvZXIQ/SmO6mL0= modernc.org/ccgo/v4 v4.30.1 h1:4r4U1J6Fhj98NKfSjnPUN7Ze2c6MnAdL0hWw6+LrJpc= diff --git a/internal/config/config.go b/internal/config/config.go index 0d347f9..83918aa 100644 --- a/internal/config/config.go +++ b/internal/config/config.go @@ -23,9 +23,13 @@ type Config struct { // ServerConfig holds HTTP listener and TLS settings. type ServerConfig struct { + // ListenAddr is the HTTPS listen address (required). ListenAddr string `toml:"listen_addr"` - TLSCert string `toml:"tls_cert"` - TLSKey string `toml:"tls_key"` + // GRPCAddr is the gRPC listen address (optional; omit to disable gRPC). + // The gRPC listener uses the same TLS certificate and key as the REST listener. + GRPCAddr string `toml:"grpc_addr"` + TLSCert string `toml:"tls_cert"` + TLSKey string `toml:"tls_key"` } // DatabaseConfig holds SQLite database settings. diff --git a/internal/grpcserver/accountservice.go b/internal/grpcserver/accountservice.go new file mode 100644 index 0000000..f791b7b --- /dev/null +++ b/internal/grpcserver/accountservice.go @@ -0,0 +1,222 @@ +// accountServiceServer implements mciasv1.AccountServiceServer. +// All RPCs require admin role. +package grpcserver + +import ( + "context" + "fmt" + + "google.golang.org/grpc/codes" + "google.golang.org/grpc/status" + "google.golang.org/protobuf/types/known/timestamppb" + + "git.wntrmute.dev/kyle/mcias/internal/auth" + "git.wntrmute.dev/kyle/mcias/internal/db" + "git.wntrmute.dev/kyle/mcias/internal/model" + mciasv1 "git.wntrmute.dev/kyle/mcias/gen/mcias/v1" +) + +type accountServiceServer struct { + mciasv1.UnimplementedAccountServiceServer + s *Server +} + +// accountToProto converts an internal Account to the proto message. +// Credential fields (PasswordHash, TOTPSecret*) are never included. +func accountToProto(a *model.Account) *mciasv1.Account { + acc := &mciasv1.Account{ + Id: a.UUID, + Username: a.Username, + AccountType: string(a.AccountType), + Status: string(a.Status), + TotpEnabled: a.TOTPRequired, + CreatedAt: timestamppb.New(a.CreatedAt), + UpdatedAt: timestamppb.New(a.UpdatedAt), + } + return acc +} + +// ListAccounts returns all accounts. Admin only. +func (a *accountServiceServer) ListAccounts(ctx context.Context, _ *mciasv1.ListAccountsRequest) (*mciasv1.ListAccountsResponse, error) { + if err := a.s.requireAdmin(ctx); err != nil { + return nil, err + } + accounts, err := a.s.db.ListAccounts() + if err != nil { + return nil, status.Error(codes.Internal, "internal error") + } + resp := make([]*mciasv1.Account, len(accounts)) + for i, acct := range accounts { + resp[i] = accountToProto(acct) + } + return &mciasv1.ListAccountsResponse{Accounts: resp}, nil +} + +// CreateAccount creates a new account. Admin only. +func (a *accountServiceServer) CreateAccount(ctx context.Context, req *mciasv1.CreateAccountRequest) (*mciasv1.CreateAccountResponse, error) { + if err := a.s.requireAdmin(ctx); err != nil { + return nil, err + } + if req.Username == "" { + return nil, status.Error(codes.InvalidArgument, "username is required") + } + accountType := model.AccountType(req.AccountType) + if accountType != model.AccountTypeHuman && accountType != model.AccountTypeSystem { + return nil, status.Error(codes.InvalidArgument, "account_type must be 'human' or 'system'") + } + + var passwordHash string + if accountType == model.AccountTypeHuman { + if req.Password == "" { + return nil, status.Error(codes.InvalidArgument, "password is required for human accounts") + } + var err error + passwordHash, err = auth.HashPassword(req.Password, auth.ArgonParams{ + Time: a.s.cfg.Argon2.Time, + Memory: a.s.cfg.Argon2.Memory, + Threads: a.s.cfg.Argon2.Threads, + }) + if err != nil { + return nil, status.Error(codes.Internal, "internal error") + } + } + + acct, err := a.s.db.CreateAccount(req.Username, accountType, passwordHash) + if err != nil { + return nil, status.Error(codes.AlreadyExists, "username already exists") + } + + a.s.db.WriteAuditEvent(model.EventAccountCreated, nil, &acct.ID, peerIP(ctx), //nolint:errcheck + fmt.Sprintf(`{"username":%q}`, acct.Username)) + return &mciasv1.CreateAccountResponse{Account: accountToProto(acct)}, nil +} + +// GetAccount retrieves a single account by UUID. Admin only. +func (a *accountServiceServer) GetAccount(ctx context.Context, req *mciasv1.GetAccountRequest) (*mciasv1.GetAccountResponse, error) { + if err := a.s.requireAdmin(ctx); err != nil { + return nil, err + } + if req.Id == "" { + return nil, status.Error(codes.InvalidArgument, "id is required") + } + acct, err := a.s.db.GetAccountByUUID(req.Id) + if err != nil { + if err == db.ErrNotFound { + return nil, status.Error(codes.NotFound, "account not found") + } + return nil, status.Error(codes.Internal, "internal error") + } + return &mciasv1.GetAccountResponse{Account: accountToProto(acct)}, nil +} + +// UpdateAccount updates mutable fields. Admin only. +func (a *accountServiceServer) UpdateAccount(ctx context.Context, req *mciasv1.UpdateAccountRequest) (*mciasv1.UpdateAccountResponse, error) { + if err := a.s.requireAdmin(ctx); err != nil { + return nil, err + } + if req.Id == "" { + return nil, status.Error(codes.InvalidArgument, "id is required") + } + acct, err := a.s.db.GetAccountByUUID(req.Id) + if err != nil { + if err == db.ErrNotFound { + return nil, status.Error(codes.NotFound, "account not found") + } + return nil, status.Error(codes.Internal, "internal error") + } + + if req.Status != "" { + newStatus := model.AccountStatus(req.Status) + if newStatus != model.AccountStatusActive && newStatus != model.AccountStatusInactive { + return nil, status.Error(codes.InvalidArgument, "status must be 'active' or 'inactive'") + } + if err := a.s.db.UpdateAccountStatus(acct.ID, newStatus); err != nil { + return nil, status.Error(codes.Internal, "internal error") + } + } + + a.s.db.WriteAuditEvent(model.EventAccountUpdated, nil, &acct.ID, peerIP(ctx), "") //nolint:errcheck + return &mciasv1.UpdateAccountResponse{}, nil +} + +// DeleteAccount soft-deletes an account and revokes its tokens. Admin only. +func (a *accountServiceServer) DeleteAccount(ctx context.Context, req *mciasv1.DeleteAccountRequest) (*mciasv1.DeleteAccountResponse, error) { + if err := a.s.requireAdmin(ctx); err != nil { + return nil, err + } + if req.Id == "" { + return nil, status.Error(codes.InvalidArgument, "id is required") + } + acct, err := a.s.db.GetAccountByUUID(req.Id) + if err != nil { + if err == db.ErrNotFound { + return nil, status.Error(codes.NotFound, "account not found") + } + return nil, status.Error(codes.Internal, "internal error") + } + if err := a.s.db.UpdateAccountStatus(acct.ID, model.AccountStatusDeleted); err != nil { + return nil, status.Error(codes.Internal, "internal error") + } + if err := a.s.db.RevokeAllUserTokens(acct.ID, "account deleted"); err != nil { + a.s.logger.Error("revoke tokens on delete", "error", err, "account_id", acct.ID) + } + a.s.db.WriteAuditEvent(model.EventAccountDeleted, nil, &acct.ID, peerIP(ctx), "") //nolint:errcheck + return &mciasv1.DeleteAccountResponse{}, nil +} + +// GetRoles returns the roles for an account. Admin only. +func (a *accountServiceServer) GetRoles(ctx context.Context, req *mciasv1.GetRolesRequest) (*mciasv1.GetRolesResponse, error) { + if err := a.s.requireAdmin(ctx); err != nil { + return nil, err + } + if req.Id == "" { + return nil, status.Error(codes.InvalidArgument, "id is required") + } + acct, err := a.s.db.GetAccountByUUID(req.Id) + if err != nil { + if err == db.ErrNotFound { + return nil, status.Error(codes.NotFound, "account not found") + } + return nil, status.Error(codes.Internal, "internal error") + } + roles, err := a.s.db.GetRoles(acct.ID) + if err != nil { + return nil, status.Error(codes.Internal, "internal error") + } + if roles == nil { + roles = []string{} + } + return &mciasv1.GetRolesResponse{Roles: roles}, nil +} + +// SetRoles replaces the role set for an account. Admin only. +func (a *accountServiceServer) SetRoles(ctx context.Context, req *mciasv1.SetRolesRequest) (*mciasv1.SetRolesResponse, error) { + if err := a.s.requireAdmin(ctx); err != nil { + return nil, err + } + if req.Id == "" { + return nil, status.Error(codes.InvalidArgument, "id is required") + } + acct, err := a.s.db.GetAccountByUUID(req.Id) + if err != nil { + if err == db.ErrNotFound { + return nil, status.Error(codes.NotFound, "account not found") + } + return nil, status.Error(codes.Internal, "internal error") + } + + actorClaims := claimsFromContext(ctx) + var grantedBy *int64 + if actorClaims != nil { + if actor, err := a.s.db.GetAccountByUUID(actorClaims.Subject); err == nil { + grantedBy = &actor.ID + } + } + + if err := a.s.db.SetRoles(acct.ID, req.Roles, grantedBy); err != nil { + return nil, status.Error(codes.Internal, "internal error") + } + a.s.db.WriteAuditEvent(model.EventRoleGranted, grantedBy, &acct.ID, peerIP(ctx), //nolint:errcheck + fmt.Sprintf(`{"roles":%v}`, req.Roles)) + return &mciasv1.SetRolesResponse{}, nil +} diff --git a/internal/grpcserver/admin.go b/internal/grpcserver/admin.go new file mode 100644 index 0000000..f8ab93f --- /dev/null +++ b/internal/grpcserver/admin.go @@ -0,0 +1,41 @@ +// adminServiceServer implements mciasv1.AdminServiceServer. +// Health and GetPublicKey are public RPCs that bypass auth. +package grpcserver + +import ( + "context" + "encoding/base64" + + "google.golang.org/grpc/codes" + "google.golang.org/grpc/status" + + mciasv1 "git.wntrmute.dev/kyle/mcias/gen/mcias/v1" +) + +type adminServiceServer struct { + mciasv1.UnimplementedAdminServiceServer + s *Server +} + +// Health returns {"status":"ok"} to signal the server is operational. +func (a *adminServiceServer) Health(_ context.Context, _ *mciasv1.HealthRequest) (*mciasv1.HealthResponse, error) { + return &mciasv1.HealthResponse{Status: "ok"}, nil +} + +// GetPublicKey returns the Ed25519 public key as JWK field values. +// The "x" field is the raw 32-byte public key base64url-encoded without padding, +// matching the REST /v1/keys/public response format. +func (a *adminServiceServer) GetPublicKey(_ context.Context, _ *mciasv1.GetPublicKeyRequest) (*mciasv1.GetPublicKeyResponse, error) { + if len(a.s.pubKey) == 0 { + return nil, status.Error(codes.Internal, "public key not available") + } + // Encode as base64url without padding — identical to the REST handler. + x := base64.RawURLEncoding.EncodeToString(a.s.pubKey) + return &mciasv1.GetPublicKeyResponse{ + Kty: "OKP", + Crv: "Ed25519", + Use: "sig", + Alg: "EdDSA", + X: x, + }, nil +} diff --git a/internal/grpcserver/auth.go b/internal/grpcserver/auth.go new file mode 100644 index 0000000..55ce4aa --- /dev/null +++ b/internal/grpcserver/auth.go @@ -0,0 +1,264 @@ +// authServiceServer implements mciasv1.AuthServiceServer. +// All handlers delegate to the same internal packages as the REST server. +package grpcserver + +import ( + "context" + "fmt" + "net" + + "google.golang.org/grpc/codes" + "google.golang.org/grpc/peer" + "google.golang.org/grpc/status" + "google.golang.org/protobuf/types/known/timestamppb" + + "git.wntrmute.dev/kyle/mcias/internal/auth" + "git.wntrmute.dev/kyle/mcias/internal/crypto" + "git.wntrmute.dev/kyle/mcias/internal/model" + "git.wntrmute.dev/kyle/mcias/internal/token" + mciasv1 "git.wntrmute.dev/kyle/mcias/gen/mcias/v1" +) + +type authServiceServer struct { + mciasv1.UnimplementedAuthServiceServer + s *Server +} + +// Login authenticates a user and issues a JWT. +// Public RPC — no auth interceptor required. +// +// Security: Identical to the REST handleLogin: always runs Argon2 for unknown +// users to prevent timing-based user enumeration. Generic error returned +// regardless of which step failed. +func (a *authServiceServer) Login(ctx context.Context, req *mciasv1.LoginRequest) (*mciasv1.LoginResponse, error) { + if req.Username == "" || req.Password == "" { + return nil, status.Error(codes.InvalidArgument, "username and password are required") + } + + ip := peerIP(ctx) + + acct, err := a.s.db.GetAccountByUsername(req.Username) + if err != nil { + // Security: run dummy Argon2 to equalise timing for unknown users. + _, _ = auth.VerifyPassword("dummy", "$argon2id$v=19$m=65536,t=3,p=4$dGVzdHNhbHQ$dGVzdGhhc2g") + a.s.db.WriteAuditEvent(model.EventLoginFail, nil, nil, ip, //nolint:errcheck // audit failure is non-fatal + fmt.Sprintf(`{"username":%q,"reason":"unknown_user"}`, req.Username)) + return nil, status.Error(codes.Unauthenticated, "invalid credentials") + } + + if acct.Status != model.AccountStatusActive { + _, _ = auth.VerifyPassword("dummy", "$argon2id$v=19$m=65536,t=3,p=4$dGVzdHNhbHQ$dGVzdGhhc2g") + a.s.db.WriteAuditEvent(model.EventLoginFail, &acct.ID, nil, ip, `{"reason":"account_inactive"}`) //nolint:errcheck + return nil, status.Error(codes.Unauthenticated, "invalid credentials") + } + + ok, err := auth.VerifyPassword(req.Password, acct.PasswordHash) + if err != nil || !ok { + a.s.db.WriteAuditEvent(model.EventLoginFail, &acct.ID, nil, ip, `{"reason":"wrong_password"}`) //nolint:errcheck + return nil, status.Error(codes.Unauthenticated, "invalid credentials") + } + + if acct.TOTPRequired { + if req.TotpCode == "" { + a.s.db.WriteAuditEvent(model.EventLoginFail, &acct.ID, nil, ip, `{"reason":"totp_missing"}`) //nolint:errcheck + return nil, status.Error(codes.Unauthenticated, "TOTP code required") + } + secret, err := crypto.OpenAESGCM(a.s.masterKey, acct.TOTPSecretNonce, acct.TOTPSecretEnc) + if err != nil { + a.s.logger.Error("decrypt TOTP secret", "error", err, "account_id", acct.ID) + return nil, status.Error(codes.Internal, "internal error") + } + valid, err := auth.ValidateTOTP(secret, req.TotpCode) + if err != nil || !valid { + a.s.db.WriteAuditEvent(model.EventLoginTOTPFail, &acct.ID, nil, ip, `{"reason":"wrong_totp"}`) //nolint:errcheck + return nil, status.Error(codes.Unauthenticated, "invalid credentials") + } + } + + expiry := a.s.cfg.DefaultExpiry() + roles, err := a.s.db.GetRoles(acct.ID) + if err != nil { + return nil, status.Error(codes.Internal, "internal error") + } + for _, r := range roles { + if r == "admin" { + expiry = a.s.cfg.AdminExpiry() + break + } + } + + tokenStr, claims, err := token.IssueToken(a.s.privKey, a.s.cfg.Tokens.Issuer, acct.UUID, roles, expiry) + if err != nil { + a.s.logger.Error("issue token", "error", err) + return nil, status.Error(codes.Internal, "internal error") + } + if err := a.s.db.TrackToken(claims.JTI, acct.ID, claims.IssuedAt, claims.ExpiresAt); err != nil { + a.s.logger.Error("track token", "error", err) + return nil, status.Error(codes.Internal, "internal error") + } + + a.s.db.WriteAuditEvent(model.EventLoginOK, &acct.ID, nil, ip, "") //nolint:errcheck + a.s.db.WriteAuditEvent(model.EventTokenIssued, &acct.ID, nil, ip, //nolint:errcheck + fmt.Sprintf(`{"jti":%q}`, claims.JTI)) + + return &mciasv1.LoginResponse{ + Token: tokenStr, + ExpiresAt: timestamppb.New(claims.ExpiresAt), + }, nil +} + +// Logout revokes the caller's current JWT. +func (a *authServiceServer) Logout(ctx context.Context, _ *mciasv1.LogoutRequest) (*mciasv1.LogoutResponse, error) { + claims := claimsFromContext(ctx) + if err := a.s.db.RevokeToken(claims.JTI, "logout"); err != nil { + a.s.logger.Error("revoke token on logout", "error", err) + return nil, status.Error(codes.Internal, "internal error") + } + a.s.db.WriteAuditEvent(model.EventTokenRevoked, nil, nil, peerIP(ctx), //nolint:errcheck + fmt.Sprintf(`{"jti":%q,"reason":"logout"}`, claims.JTI)) + return &mciasv1.LogoutResponse{}, nil +} + +// RenewToken exchanges the caller's token for a new one. +func (a *authServiceServer) RenewToken(ctx context.Context, _ *mciasv1.RenewTokenRequest) (*mciasv1.RenewTokenResponse, error) { + claims := claimsFromContext(ctx) + + acct, err := a.s.db.GetAccountByUUID(claims.Subject) + if err != nil { + return nil, status.Error(codes.Unauthenticated, "account not found") + } + if acct.Status != model.AccountStatusActive { + return nil, status.Error(codes.Unauthenticated, "account inactive") + } + + roles, err := a.s.db.GetRoles(acct.ID) + if err != nil { + return nil, status.Error(codes.Internal, "internal error") + } + + expiry := a.s.cfg.DefaultExpiry() + for _, r := range roles { + if r == "admin" { + expiry = a.s.cfg.AdminExpiry() + break + } + } + + newTokenStr, newClaims, err := token.IssueToken(a.s.privKey, a.s.cfg.Tokens.Issuer, acct.UUID, roles, expiry) + if err != nil { + return nil, status.Error(codes.Internal, "internal error") + } + + _ = a.s.db.RevokeToken(claims.JTI, "renewed") + if err := a.s.db.TrackToken(newClaims.JTI, acct.ID, newClaims.IssuedAt, newClaims.ExpiresAt); err != nil { + return nil, status.Error(codes.Internal, "internal error") + } + + a.s.db.WriteAuditEvent(model.EventTokenRenewed, &acct.ID, nil, peerIP(ctx), //nolint:errcheck + fmt.Sprintf(`{"old_jti":%q,"new_jti":%q}`, claims.JTI, newClaims.JTI)) + + return &mciasv1.RenewTokenResponse{ + Token: newTokenStr, + ExpiresAt: timestamppb.New(newClaims.ExpiresAt), + }, nil +} + +// EnrollTOTP begins TOTP enrollment for the calling account. +func (a *authServiceServer) EnrollTOTP(ctx context.Context, _ *mciasv1.EnrollTOTPRequest) (*mciasv1.EnrollTOTPResponse, error) { + claims := claimsFromContext(ctx) + acct, err := a.s.db.GetAccountByUUID(claims.Subject) + if err != nil { + return nil, status.Error(codes.Unauthenticated, "account not found") + } + + rawSecret, b32Secret, err := auth.GenerateTOTPSecret() + if err != nil { + return nil, status.Error(codes.Internal, "internal error") + } + + secretEnc, secretNonce, err := crypto.SealAESGCM(a.s.masterKey, rawSecret) + if err != nil { + return nil, status.Error(codes.Internal, "internal error") + } + + if err := a.s.db.SetTOTP(acct.ID, secretEnc, secretNonce); err != nil { + return nil, status.Error(codes.Internal, "internal error") + } + + otpURI := fmt.Sprintf("otpauth://totp/MCIAS:%s?secret=%s&issuer=MCIAS", acct.Username, b32Secret) + + // Security: secret is shown once here only; the stored form is encrypted. + return &mciasv1.EnrollTOTPResponse{ + Secret: b32Secret, + OtpauthUri: otpURI, + }, nil +} + +// ConfirmTOTP confirms TOTP enrollment. +func (a *authServiceServer) ConfirmTOTP(ctx context.Context, req *mciasv1.ConfirmTOTPRequest) (*mciasv1.ConfirmTOTPResponse, error) { + if req.Code == "" { + return nil, status.Error(codes.InvalidArgument, "code is required") + } + + claims := claimsFromContext(ctx) + acct, err := a.s.db.GetAccountByUUID(claims.Subject) + if err != nil { + return nil, status.Error(codes.Unauthenticated, "account not found") + } + if acct.TOTPSecretEnc == nil { + return nil, status.Error(codes.FailedPrecondition, "TOTP enrollment not started") + } + + secret, err := crypto.OpenAESGCM(a.s.masterKey, acct.TOTPSecretNonce, acct.TOTPSecretEnc) + if err != nil { + return nil, status.Error(codes.Internal, "internal error") + } + + valid, err := auth.ValidateTOTP(secret, req.Code) + if err != nil || !valid { + return nil, status.Error(codes.Unauthenticated, "invalid TOTP code") + } + + // SetTOTP with existing enc/nonce sets totp_required=1, confirming enrollment. + if err := a.s.db.SetTOTP(acct.ID, acct.TOTPSecretEnc, acct.TOTPSecretNonce); err != nil { + return nil, status.Error(codes.Internal, "internal error") + } + + a.s.db.WriteAuditEvent(model.EventTOTPEnrolled, &acct.ID, nil, peerIP(ctx), "") //nolint:errcheck + return &mciasv1.ConfirmTOTPResponse{}, nil +} + +// RemoveTOTP removes TOTP from an account. Admin only. +func (a *authServiceServer) RemoveTOTP(ctx context.Context, req *mciasv1.RemoveTOTPRequest) (*mciasv1.RemoveTOTPResponse, error) { + if err := a.s.requireAdmin(ctx); err != nil { + return nil, err + } + if req.AccountId == "" { + return nil, status.Error(codes.InvalidArgument, "account_id is required") + } + + acct, err := a.s.db.GetAccountByUUID(req.AccountId) + if err != nil { + return nil, status.Error(codes.NotFound, "account not found") + } + + if err := a.s.db.ClearTOTP(acct.ID); err != nil { + return nil, status.Error(codes.Internal, "internal error") + } + + a.s.db.WriteAuditEvent(model.EventTOTPRemoved, nil, &acct.ID, peerIP(ctx), "") //nolint:errcheck + return &mciasv1.RemoveTOTPResponse{}, nil +} + +// peerIP extracts the client IP from gRPC peer context. +func peerIP(ctx context.Context) string { + p, ok := peer.FromContext(ctx) + if !ok { + return "" + } + host, _, err := net.SplitHostPort(p.Addr.String()) + if err != nil { + return p.Addr.String() + } + return host +} diff --git a/internal/grpcserver/credentialservice.go b/internal/grpcserver/credentialservice.go new file mode 100644 index 0000000..cc34c76 --- /dev/null +++ b/internal/grpcserver/credentialservice.go @@ -0,0 +1,107 @@ +// credentialServiceServer implements mciasv1.CredentialServiceServer. +// All RPCs require admin role. +package grpcserver + +import ( + "context" + + "google.golang.org/grpc/codes" + "google.golang.org/grpc/status" + + "git.wntrmute.dev/kyle/mcias/internal/crypto" + "git.wntrmute.dev/kyle/mcias/internal/db" + "git.wntrmute.dev/kyle/mcias/internal/model" + mciasv1 "git.wntrmute.dev/kyle/mcias/gen/mcias/v1" +) + +type credentialServiceServer struct { + mciasv1.UnimplementedCredentialServiceServer + s *Server +} + +// GetPGCreds decrypts and returns Postgres credentials. Admin only. +// Security: the password field is decrypted and returned; this constitutes +// a sensitive operation. The audit log records the access. +func (c *credentialServiceServer) GetPGCreds(ctx context.Context, req *mciasv1.GetPGCredsRequest) (*mciasv1.GetPGCredsResponse, error) { + if err := c.s.requireAdmin(ctx); err != nil { + return nil, err + } + if req.Id == "" { + return nil, status.Error(codes.InvalidArgument, "id is required") + } + acct, err := c.s.db.GetAccountByUUID(req.Id) + if err != nil { + if err == db.ErrNotFound { + return nil, status.Error(codes.NotFound, "account not found") + } + return nil, status.Error(codes.Internal, "internal error") + } + + cred, err := c.s.db.ReadPGCredentials(acct.ID) + if err != nil { + if err == db.ErrNotFound { + return nil, status.Error(codes.NotFound, "no credentials stored") + } + return nil, status.Error(codes.Internal, "internal error") + } + + // Decrypt the password for admin retrieval. + password, err := crypto.OpenAESGCM(c.s.masterKey, cred.PGPasswordNonce, cred.PGPasswordEnc) + if err != nil { + return nil, status.Error(codes.Internal, "internal error") + } + + c.s.db.WriteAuditEvent(model.EventPGCredAccessed, nil, &acct.ID, peerIP(ctx), "") //nolint:errcheck + + return &mciasv1.GetPGCredsResponse{ + Creds: &mciasv1.PGCreds{ + Host: cred.PGHost, + Database: cred.PGDatabase, + Username: cred.PGUsername, + Password: string(password), // security: returned only on explicit admin request + Port: int32(cred.PGPort), + }, + }, nil +} + +// SetPGCreds stores Postgres credentials for an account. Admin only. +func (c *credentialServiceServer) SetPGCreds(ctx context.Context, req *mciasv1.SetPGCredsRequest) (*mciasv1.SetPGCredsResponse, error) { + if err := c.s.requireAdmin(ctx); err != nil { + return nil, err + } + if req.Id == "" { + return nil, status.Error(codes.InvalidArgument, "id is required") + } + if req.Creds == nil { + return nil, status.Error(codes.InvalidArgument, "creds is required") + } + + cr := req.Creds + if cr.Host == "" || cr.Database == "" || cr.Username == "" || cr.Password == "" { + return nil, status.Error(codes.InvalidArgument, "host, database, username, and password are required") + } + port := int(cr.Port) + if port == 0 { + port = 5432 + } + + acct, err := c.s.db.GetAccountByUUID(req.Id) + if err != nil { + if err == db.ErrNotFound { + return nil, status.Error(codes.NotFound, "account not found") + } + return nil, status.Error(codes.Internal, "internal error") + } + + enc, nonce, err := crypto.SealAESGCM(c.s.masterKey, []byte(cr.Password)) + if err != nil { + return nil, status.Error(codes.Internal, "internal error") + } + + if err := c.s.db.WritePGCredentials(acct.ID, cr.Host, port, cr.Database, cr.Username, enc, nonce); err != nil { + return nil, status.Error(codes.Internal, "internal error") + } + + c.s.db.WriteAuditEvent(model.EventPGCredUpdated, nil, &acct.ID, peerIP(ctx), "") //nolint:errcheck + return &mciasv1.SetPGCredsResponse{}, nil +} diff --git a/internal/grpcserver/grpcserver.go b/internal/grpcserver/grpcserver.go new file mode 100644 index 0000000..bcffeb3 --- /dev/null +++ b/internal/grpcserver/grpcserver.go @@ -0,0 +1,345 @@ +// Package grpcserver provides a gRPC server that exposes the same +// functionality as the REST HTTP server using the same internal packages. +// +// Security design: +// - All RPCs share business logic with the REST server via internal/auth, +// internal/token, internal/db, and internal/crypto packages. +// - Authentication uses the same JWT validation path as the REST middleware: +// alg-first check, signature verification, revocation table lookup. +// - The authorization metadata key is "authorization"; its value must be +// "Bearer " (case-insensitive prefix check). +// - Credential fields (PasswordHash, TOTPSecret*, PGPassword) are never +// included in any RPC response message. +// - No credential material is logged by any interceptor. +// - TLS is required at the listener level (enforced by cmd/mciassrv). +// - Public RPCs (Health, GetPublicKey, ValidateToken) bypass auth. +package grpcserver + +import ( + "context" + "crypto/ed25519" + "log/slog" + "net" + "strings" + "sync" + "time" + + "google.golang.org/grpc" + "google.golang.org/grpc/codes" + "google.golang.org/grpc/credentials" + "google.golang.org/grpc/metadata" + "google.golang.org/grpc/peer" + "google.golang.org/grpc/status" + + "git.wntrmute.dev/kyle/mcias/internal/config" + "git.wntrmute.dev/kyle/mcias/internal/db" + "git.wntrmute.dev/kyle/mcias/internal/token" + mciasv1 "git.wntrmute.dev/kyle/mcias/gen/mcias/v1" +) + +// contextKey is the unexported context key type for this package. +type contextKey int + +const ( + claimsCtxKey contextKey = iota +) + +// claimsFromContext retrieves JWT claims injected by the auth interceptor. +// Returns nil for unauthenticated (public) RPCs. +func claimsFromContext(ctx context.Context) *token.Claims { + c, _ := ctx.Value(claimsCtxKey).(*token.Claims) + return c +} + +// Server holds the shared state for all gRPC service implementations. +type Server struct { + db *db.DB + cfg *config.Config + privKey ed25519.PrivateKey + pubKey ed25519.PublicKey + masterKey []byte + logger *slog.Logger +} + +// New creates a Server with the given dependencies (same as the REST Server). +func New(database *db.DB, cfg *config.Config, priv ed25519.PrivateKey, pub ed25519.PublicKey, masterKey []byte, logger *slog.Logger) *Server { + return &Server{ + db: database, + cfg: cfg, + privKey: priv, + pubKey: pub, + masterKey: masterKey, + logger: logger, + } +} + +// publicMethods is the set of fully-qualified method names that bypass auth. +// These match the gRPC full method path: /./. +var publicMethods = map[string]bool{ + "/mcias.v1.AdminService/Health": true, + "/mcias.v1.AdminService/GetPublicKey": true, + "/mcias.v1.TokenService/ValidateToken": true, + "/mcias.v1.AuthService/Login": true, +} + +// GRPCServer builds and returns a configured *grpc.Server with all services +// registered and the interceptor chain installed. The returned server uses no +// transport credentials; callers are expected to wrap with TLS via GRPCServerWithCreds. +func (s *Server) GRPCServer() *grpc.Server { + return s.buildServer() +} + +// GRPCServerWithCreds builds a *grpc.Server with TLS transport credentials. +// This is the method to use when starting a TLS gRPC listener; TLS credentials +// must be passed at server-construction time per the gRPC idiom. +func (s *Server) GRPCServerWithCreds(creds credentials.TransportCredentials) *grpc.Server { + return s.buildServer(grpc.Creds(creds)) +} + +// buildServer constructs the grpc.Server with optional additional server options. +func (s *Server) buildServer(extra ...grpc.ServerOption) *grpc.Server { + opts := append( + []grpc.ServerOption{ + grpc.ChainUnaryInterceptor( + s.loggingInterceptor, + s.authInterceptor, + s.rateLimitInterceptor, + ), + }, + extra..., + ) + srv := grpc.NewServer(opts...) + + // Register service implementations. + mciasv1.RegisterAdminServiceServer(srv, &adminServiceServer{s: s}) + mciasv1.RegisterAuthServiceServer(srv, &authServiceServer{s: s}) + mciasv1.RegisterTokenServiceServer(srv, &tokenServiceServer{s: s}) + mciasv1.RegisterAccountServiceServer(srv, &accountServiceServer{s: s}) + mciasv1.RegisterCredentialServiceServer(srv, &credentialServiceServer{s: s}) + + return srv +} + +// loggingInterceptor logs each unary RPC call with method, peer IP, status, +// and duration. The authorization metadata value is never logged. +func (s *Server) loggingInterceptor( + ctx context.Context, + req interface{}, + info *grpc.UnaryServerInfo, + handler grpc.UnaryHandler, +) (interface{}, error) { + start := time.Now() + + peerIP := "" + if p, ok := peer.FromContext(ctx); ok { + host, _, err := net.SplitHostPort(p.Addr.String()) + if err == nil { + peerIP = host + } else { + peerIP = p.Addr.String() + } + } + + resp, err := handler(ctx, req) + + code := codes.OK + if err != nil { + code = status.Code(err) + } + + // Security: authorization metadata is never logged. + s.logger.Info("grpc request", + "method", info.FullMethod, + "peer_ip", peerIP, + "code", code.String(), + "duration_ms", time.Since(start).Milliseconds(), + ) + return resp, err +} + +// authInterceptor validates the Bearer JWT from gRPC metadata and injects +// claims into the context. Public methods bypass this check. +// +// Security: Same validation path as the REST RequireAuth middleware: +// 1. Extract "authorization" metadata value (case-insensitive key lookup). +// 2. Validate JWT (alg-first, then signature, then expiry/issuer). +// 3. Check JTI against revocation table. +// 4. Inject claims into context. +func (s *Server) authInterceptor( + ctx context.Context, + req interface{}, + info *grpc.UnaryServerInfo, + handler grpc.UnaryHandler, +) (interface{}, error) { + if publicMethods[info.FullMethod] { + return handler(ctx, req) + } + + tokenStr, err := extractBearerFromMD(ctx) + if err != nil { + // Security: do not reveal whether the header was missing vs. malformed. + return nil, status.Error(codes.Unauthenticated, "missing or invalid authorization") + } + + claims, err := token.ValidateToken(s.pubKey, tokenStr, s.cfg.Tokens.Issuer) + if err != nil { + return nil, status.Error(codes.Unauthenticated, "invalid or expired token") + } + + // Security: check revocation table after signature validation. + rec, err := s.db.GetTokenRecord(claims.JTI) + if err != nil || rec.IsRevoked() { + return nil, status.Error(codes.Unauthenticated, "token has been revoked") + } + + ctx = context.WithValue(ctx, claimsCtxKey, claims) + return handler(ctx, req) +} + +// requireAdmin checks that the claims in context contain the "admin" role. +// Called by admin-only RPC handlers after the authInterceptor has run. +// +// Security: Mirrors the REST RequireRole("admin") middleware check; checked +// after auth so claims are always populated when this function is reached. +func (s *Server) requireAdmin(ctx context.Context) error { + claims := claimsFromContext(ctx) + if claims == nil { + return status.Error(codes.PermissionDenied, "insufficient privileges") + } + if !claims.HasRole("admin") { + return status.Error(codes.PermissionDenied, "insufficient privileges") + } + return nil +} + +// --- Rate limiter --- + +// grpcRateLimiter is a per-IP token bucket for gRPC, sharing the same +// algorithm as the REST RateLimit middleware. +type grpcRateLimiter struct { + mu sync.Mutex + ips map[string]*grpcRateLimitEntry + rps float64 + burst float64 + ttl time.Duration +} + +type grpcRateLimitEntry struct { + mu sync.Mutex + lastSeen time.Time + tokens float64 +} + +func newGRPCRateLimiter(rps float64, burst int) *grpcRateLimiter { + l := &grpcRateLimiter{ + rps: rps, + burst: float64(burst), + ttl: 10 * time.Minute, + ips: make(map[string]*grpcRateLimitEntry), + } + go l.cleanup() + return l +} + +func (l *grpcRateLimiter) allow(ip string) bool { + l.mu.Lock() + entry, ok := l.ips[ip] + if !ok { + entry = &grpcRateLimitEntry{tokens: l.burst, lastSeen: time.Now()} + l.ips[ip] = entry + } + l.mu.Unlock() + + entry.mu.Lock() + defer entry.mu.Unlock() + + now := time.Now() + elapsed := now.Sub(entry.lastSeen).Seconds() + entry.tokens = minFloat64(l.burst, entry.tokens+elapsed*l.rps) + entry.lastSeen = now + + if entry.tokens < 1 { + return false + } + entry.tokens-- + return true +} + +func (l *grpcRateLimiter) cleanup() { + ticker := time.NewTicker(5 * time.Minute) + defer ticker.Stop() + for range ticker.C { + l.mu.Lock() + cutoff := time.Now().Add(-l.ttl) + for ip, entry := range l.ips { + entry.mu.Lock() + if entry.lastSeen.Before(cutoff) { + delete(l.ips, ip) + } + entry.mu.Unlock() + } + l.mu.Unlock() + } +} + +// defaultRateLimiter is the server-wide rate limiter instance. +// 10 req/s sustained, burst 10 — same parameters as the REST limiter. +var defaultRateLimiter = newGRPCRateLimiter(10, 10) + +// rateLimitInterceptor applies per-IP rate limiting using the same token-bucket +// parameters as the REST rate limiter (10 req/s, burst 10). +func (s *Server) rateLimitInterceptor( + ctx context.Context, + req interface{}, + info *grpc.UnaryServerInfo, + handler grpc.UnaryHandler, +) (interface{}, error) { + ip := "" + if p, ok := peer.FromContext(ctx); ok { + host, _, err := net.SplitHostPort(p.Addr.String()) + if err == nil { + ip = host + } else { + ip = p.Addr.String() + } + } + + if ip != "" && !defaultRateLimiter.allow(ip) { + return nil, status.Error(codes.ResourceExhausted, "rate limit exceeded") + } + return handler(ctx, req) +} + +// extractBearerFromMD extracts the Bearer token from gRPC metadata. +// The key lookup is case-insensitive per gRPC metadata convention (all keys +// are lowercased by the framework; we match on "authorization"). +// +// Security: The metadata value is never logged. +func extractBearerFromMD(ctx context.Context) (string, error) { + md, ok := metadata.FromIncomingContext(ctx) + if !ok { + return "", status.Error(codes.Unauthenticated, "no metadata") + } + vals := md.Get("authorization") + if len(vals) == 0 { + return "", status.Error(codes.Unauthenticated, "missing authorization metadata") + } + auth := vals[0] + const prefix = "bearer " + if len(auth) <= len(prefix) || !strings.EqualFold(auth[:len(prefix)], prefix) { + return "", status.Error(codes.Unauthenticated, "malformed authorization metadata") + } + t := auth[len(prefix):] + if t == "" { + return "", status.Error(codes.Unauthenticated, "empty bearer token") + } + return t, nil +} + +// minFloat64 returns the smaller of two float64 values. +func minFloat64(a, b float64) float64 { + if a < b { + return a + } + return b +} diff --git a/internal/grpcserver/grpcserver_test.go b/internal/grpcserver/grpcserver_test.go new file mode 100644 index 0000000..2faba91 --- /dev/null +++ b/internal/grpcserver/grpcserver_test.go @@ -0,0 +1,654 @@ +// Tests for the gRPC server package. +// +// All tests use bufconn so no network sockets are opened. TLS is omitted +// at the test layer (insecure credentials); TLS enforcement is the responsibility +// of cmd/mciassrv which wraps the listener. +package grpcserver + +import ( + "context" + "crypto/ed25519" + "crypto/rand" + "io" + "log/slog" + "net" + "testing" + "time" + + "google.golang.org/grpc" + "google.golang.org/grpc/codes" + "google.golang.org/grpc/credentials/insecure" + "google.golang.org/grpc/metadata" + "google.golang.org/grpc/status" + "google.golang.org/grpc/test/bufconn" + + "git.wntrmute.dev/kyle/mcias/internal/auth" + "git.wntrmute.dev/kyle/mcias/internal/config" + "git.wntrmute.dev/kyle/mcias/internal/db" + "git.wntrmute.dev/kyle/mcias/internal/model" + "git.wntrmute.dev/kyle/mcias/internal/token" + mciasv1 "git.wntrmute.dev/kyle/mcias/gen/mcias/v1" +) + +const ( + testIssuer = "https://auth.example.com" + bufConnSize = 1024 * 1024 +) + +// testEnv holds all resources for a single test's gRPC server. +type testEnv struct { + db *db.DB + priv ed25519.PrivateKey + pub ed25519.PublicKey + masterKey []byte + cfg *config.Config + conn *grpc.ClientConn +} + +// newTestEnv spins up an in-process gRPC server using bufconn and returns +// a client connection to it. All resources are cleaned up via t.Cleanup. +func newTestEnv(t *testing.T) *testEnv { + t.Helper() + + pub, priv, err := ed25519.GenerateKey(rand.Reader) + if err != nil { + t.Fatalf("generate key: %v", err) + } + + database, err := db.Open(":memory:") + if err != nil { + t.Fatalf("open db: %v", err) + } + if err := db.Migrate(database); err != nil { + t.Fatalf("migrate db: %v", err) + } + + masterKey := make([]byte, 32) + if _, err := rand.Read(masterKey); err != nil { + t.Fatalf("generate master key: %v", err) + } + + cfg := config.NewTestConfig(testIssuer) + logger := slog.New(slog.NewTextHandler(io.Discard, nil)) + + srv := New(database, cfg, priv, pub, masterKey, logger) + grpcSrv := srv.GRPCServer() + + lis := bufconn.Listen(bufConnSize) + go func() { + if err := grpcSrv.Serve(lis); err != nil { + // Serve returns when the listener is closed; ignore that error. + } + }() + + conn, err := grpc.NewClient( + "passthrough://bufnet", + grpc.WithContextDialer(func(ctx context.Context, _ string) (net.Conn, error) { + return lis.DialContext(ctx) + }), + grpc.WithTransportCredentials(insecure.NewCredentials()), + ) + if err != nil { + t.Fatalf("dial bufconn: %v", err) + } + + t.Cleanup(func() { + _ = conn.Close() + grpcSrv.Stop() + _ = lis.Close() + _ = database.Close() + }) + + return &testEnv{ + db: database, + priv: priv, + pub: pub, + masterKey: masterKey, + cfg: cfg, + conn: conn, + } +} + +// createHumanAccount creates a human account with the given username and +// a fixed password "testpass123" directly in the database. +func (e *testEnv) createHumanAccount(t *testing.T, username string) *model.Account { + t.Helper() + hash, err := auth.HashPassword("testpass123", auth.ArgonParams{Time: 3, Memory: 65536, Threads: 4}) + if err != nil { + t.Fatalf("hash password: %v", err) + } + acct, err := e.db.CreateAccount(username, model.AccountTypeHuman, hash) + if err != nil { + t.Fatalf("create account: %v", err) + } + return acct +} + +// issueAdminToken creates an account with admin role, issues a JWT, tracks it in +// the DB, and returns the token string. +func (e *testEnv) issueAdminToken(t *testing.T, username string) (string, *model.Account) { + t.Helper() + acct := e.createHumanAccount(t, username) + if err := e.db.GrantRole(acct.ID, "admin", nil); err != nil { + t.Fatalf("grant admin role: %v", err) + } + tokenStr, claims, err := token.IssueToken(e.priv, testIssuer, acct.UUID, []string{"admin"}, time.Hour) + if err != nil { + t.Fatalf("issue token: %v", err) + } + if err := e.db.TrackToken(claims.JTI, acct.ID, claims.IssuedAt, claims.ExpiresAt); err != nil { + t.Fatalf("track token: %v", err) + } + return tokenStr, acct +} + +// issueUserToken issues a regular (non-admin) token for an account. +func (e *testEnv) issueUserToken(t *testing.T, acct *model.Account) string { + t.Helper() + tokenStr, claims, err := token.IssueToken(e.priv, testIssuer, acct.UUID, []string{}, time.Hour) + if err != nil { + t.Fatalf("issue token: %v", err) + } + if err := e.db.TrackToken(claims.JTI, acct.ID, claims.IssuedAt, claims.ExpiresAt); err != nil { + t.Fatalf("track token: %v", err) + } + return tokenStr +} + +// authCtx returns a context with the Bearer token as gRPC metadata. +func authCtx(tok string) context.Context { + return metadata.AppendToOutgoingContext(context.Background(), + "authorization", "Bearer "+tok) +} + +// ---- AdminService tests ---- + +// TestHealth verifies the public Health RPC requires no auth and returns "ok". +func TestHealth(t *testing.T) { + e := newTestEnv(t) + cl := mciasv1.NewAdminServiceClient(e.conn) + + resp, err := cl.Health(context.Background(), &mciasv1.HealthRequest{}) + if err != nil { + t.Fatalf("Health: %v", err) + } + if resp.Status != "ok" { + t.Errorf("Health: got status %q, want %q", resp.Status, "ok") + } +} + +// TestGetPublicKey verifies the public GetPublicKey RPC returns JWK fields. +func TestGetPublicKey(t *testing.T) { + e := newTestEnv(t) + cl := mciasv1.NewAdminServiceClient(e.conn) + + resp, err := cl.GetPublicKey(context.Background(), &mciasv1.GetPublicKeyRequest{}) + if err != nil { + t.Fatalf("GetPublicKey: %v", err) + } + if resp.Kty != "OKP" { + t.Errorf("GetPublicKey: kty=%q, want OKP", resp.Kty) + } + if resp.Crv != "Ed25519" { + t.Errorf("GetPublicKey: crv=%q, want Ed25519", resp.Crv) + } + if resp.X == "" { + t.Error("GetPublicKey: x field is empty") + } +} + +// ---- Auth interceptor tests ---- + +// TestAuthRequired verifies that protected RPCs reject calls with no token. +func TestAuthRequired(t *testing.T) { + e := newTestEnv(t) + cl := mciasv1.NewAuthServiceClient(e.conn) + + // Logout requires auth; call without any metadata. + _, err := cl.Logout(context.Background(), &mciasv1.LogoutRequest{}) + if err == nil { + t.Fatal("Logout without token: expected error, got nil") + } + st, ok := status.FromError(err) + if !ok { + t.Fatalf("not a gRPC status error: %v", err) + } + if st.Code() != codes.Unauthenticated { + t.Errorf("Logout without token: got code %v, want Unauthenticated", st.Code()) + } +} + +// TestInvalidTokenRejected verifies that a malformed token is rejected. +func TestInvalidTokenRejected(t *testing.T) { + e := newTestEnv(t) + cl := mciasv1.NewAuthServiceClient(e.conn) + + ctx := authCtx("not.a.valid.jwt") + _, err := cl.Logout(ctx, &mciasv1.LogoutRequest{}) + if err == nil { + t.Fatal("Logout with invalid token: expected error, got nil") + } + st, _ := status.FromError(err) + if st.Code() != codes.Unauthenticated { + t.Errorf("got code %v, want Unauthenticated", st.Code()) + } +} + +// TestRevokedTokenRejected verifies that a revoked token cannot be used. +func TestRevokedTokenRejected(t *testing.T) { + e := newTestEnv(t) + + acct := e.createHumanAccount(t, "revokeduser") + tokenStr, claims, err := token.IssueToken(e.priv, testIssuer, acct.UUID, []string{}, time.Hour) + if err != nil { + t.Fatalf("issue token: %v", err) + } + if err := e.db.TrackToken(claims.JTI, acct.ID, claims.IssuedAt, claims.ExpiresAt); err != nil { + t.Fatalf("track token: %v", err) + } + // Revoke it before using it. + if err := e.db.RevokeToken(claims.JTI, "test"); err != nil { + t.Fatalf("revoke token: %v", err) + } + + cl := mciasv1.NewAuthServiceClient(e.conn) + ctx := authCtx(tokenStr) + _, err = cl.Logout(ctx, &mciasv1.LogoutRequest{}) + if err == nil { + t.Fatal("Logout with revoked token: expected error, got nil") + } + st, _ := status.FromError(err) + if st.Code() != codes.Unauthenticated { + t.Errorf("got code %v, want Unauthenticated", st.Code()) + } +} + +// TestNonAdminCannotCallAdminRPC verifies that a regular user is denied access +// to admin-only RPCs (PermissionDenied, not Unauthenticated). +func TestNonAdminCannotCallAdminRPC(t *testing.T) { + e := newTestEnv(t) + acct := e.createHumanAccount(t, "regularuser") + tok := e.issueUserToken(t, acct) + + cl := mciasv1.NewAccountServiceClient(e.conn) + ctx := authCtx(tok) + _, err := cl.ListAccounts(ctx, &mciasv1.ListAccountsRequest{}) + if err == nil { + t.Fatal("ListAccounts as non-admin: expected error, got nil") + } + st, _ := status.FromError(err) + if st.Code() != codes.PermissionDenied { + t.Errorf("got code %v, want PermissionDenied", st.Code()) + } +} + +// ---- AuthService tests ---- + +// TestLogin verifies successful login via gRPC. +func TestLogin(t *testing.T) { + e := newTestEnv(t) + _ = e.createHumanAccount(t, "loginuser") + + cl := mciasv1.NewAuthServiceClient(e.conn) + resp, err := cl.Login(context.Background(), &mciasv1.LoginRequest{ + Username: "loginuser", + Password: "testpass123", + }) + if err != nil { + t.Fatalf("Login: %v", err) + } + if resp.Token == "" { + t.Error("Login: returned empty token") + } +} + +// TestLoginWrongPassword verifies that wrong-password returns Unauthenticated. +func TestLoginWrongPassword(t *testing.T) { + e := newTestEnv(t) + _ = e.createHumanAccount(t, "loginuser2") + + cl := mciasv1.NewAuthServiceClient(e.conn) + _, err := cl.Login(context.Background(), &mciasv1.LoginRequest{ + Username: "loginuser2", + Password: "wrongpassword", + }) + if err == nil { + t.Fatal("Login with wrong password: expected error, got nil") + } + st, _ := status.FromError(err) + if st.Code() != codes.Unauthenticated { + t.Errorf("got code %v, want Unauthenticated", st.Code()) + } +} + +// TestLoginUnknownUser verifies that unknown-user returns the same error as +// wrong-password (prevents user enumeration). +func TestLoginUnknownUser(t *testing.T) { + e := newTestEnv(t) + cl := mciasv1.NewAuthServiceClient(e.conn) + _, err := cl.Login(context.Background(), &mciasv1.LoginRequest{ + Username: "nosuchuser", + Password: "whatever", + }) + if err == nil { + t.Fatal("Login for unknown user: expected error, got nil") + } + st, _ := status.FromError(err) + if st.Code() != codes.Unauthenticated { + t.Errorf("got code %v, want Unauthenticated", st.Code()) + } +} + +// TestLogout verifies that a valid token can log itself out. +func TestLogout(t *testing.T) { + e := newTestEnv(t) + acct := e.createHumanAccount(t, "logoutuser") + tok := e.issueUserToken(t, acct) + + cl := mciasv1.NewAuthServiceClient(e.conn) + ctx := authCtx(tok) + _, err := cl.Logout(ctx, &mciasv1.LogoutRequest{}) + if err != nil { + t.Fatalf("Logout: %v", err) + } + + // Second call with the same token must fail (token now revoked). + _, err = cl.Logout(authCtx(tok), &mciasv1.LogoutRequest{}) + if err == nil { + t.Fatal("second Logout with revoked token: expected error, got nil") + } +} + +// TestRenewToken verifies that a valid token can be renewed. +func TestRenewToken(t *testing.T) { + e := newTestEnv(t) + acct := e.createHumanAccount(t, "renewuser") + tok := e.issueUserToken(t, acct) + + cl := mciasv1.NewAuthServiceClient(e.conn) + ctx := authCtx(tok) + resp, err := cl.RenewToken(ctx, &mciasv1.RenewTokenRequest{}) + if err != nil { + t.Fatalf("RenewToken: %v", err) + } + if resp.Token == "" { + t.Error("RenewToken: returned empty token") + } + if resp.Token == tok { + t.Error("RenewToken: returned same token instead of a fresh one") + } +} + +// ---- TokenService tests ---- + +// TestValidateToken verifies the public ValidateToken RPC returns valid=true for +// a good token and valid=false for a garbage input (no Unauthenticated error). +func TestValidateToken(t *testing.T) { + e := newTestEnv(t) + acct := e.createHumanAccount(t, "validateuser") + tok := e.issueUserToken(t, acct) + + cl := mciasv1.NewTokenServiceClient(e.conn) + + // Valid token. + resp, err := cl.ValidateToken(context.Background(), &mciasv1.ValidateTokenRequest{Token: tok}) + if err != nil { + t.Fatalf("ValidateToken (good): %v", err) + } + if !resp.Valid { + t.Error("ValidateToken: got valid=false for a good token") + } + + // Invalid token: should return valid=false, not an RPC error. + resp, err = cl.ValidateToken(context.Background(), &mciasv1.ValidateTokenRequest{Token: "garbage"}) + if err != nil { + t.Fatalf("ValidateToken (bad): unexpected RPC error: %v", err) + } + if resp.Valid { + t.Error("ValidateToken: got valid=true for a garbage token") + } +} + +// TestIssueServiceTokenRequiresAdmin verifies that non-admin cannot issue tokens. +func TestIssueServiceTokenRequiresAdmin(t *testing.T) { + e := newTestEnv(t) + acct := e.createHumanAccount(t, "notadmin") + tok := e.issueUserToken(t, acct) + + cl := mciasv1.NewTokenServiceClient(e.conn) + _, err := cl.IssueServiceToken(authCtx(tok), &mciasv1.IssueServiceTokenRequest{AccountId: acct.UUID}) + if err == nil { + t.Fatal("IssueServiceToken as non-admin: expected error, got nil") + } + st, _ := status.FromError(err) + if st.Code() != codes.PermissionDenied { + t.Errorf("got code %v, want PermissionDenied", st.Code()) + } +} + +// ---- AccountService tests ---- + +// TestListAccountsAdminOnly verifies that ListAccounts requires admin role. +func TestListAccountsAdminOnly(t *testing.T) { + e := newTestEnv(t) + + // Non-admin call. + acct := e.createHumanAccount(t, "nonadmin") + tok := e.issueUserToken(t, acct) + + cl := mciasv1.NewAccountServiceClient(e.conn) + _, err := cl.ListAccounts(authCtx(tok), &mciasv1.ListAccountsRequest{}) + if err == nil { + t.Fatal("ListAccounts as non-admin: expected error, got nil") + } + st, _ := status.FromError(err) + if st.Code() != codes.PermissionDenied { + t.Errorf("got code %v, want PermissionDenied", st.Code()) + } + + // Admin call. + adminTok, _ := e.issueAdminToken(t, "adminuser") + resp, err := cl.ListAccounts(authCtx(adminTok), &mciasv1.ListAccountsRequest{}) + if err != nil { + t.Fatalf("ListAccounts as admin: %v", err) + } + if len(resp.Accounts) == 0 { + t.Error("ListAccounts: expected at least one account") + } +} + +// TestCreateAndGetAccount exercises the full create→get lifecycle. +func TestCreateAndGetAccount(t *testing.T) { + e := newTestEnv(t) + adminTok, _ := e.issueAdminToken(t, "admin2") + + cl := mciasv1.NewAccountServiceClient(e.conn) + + createResp, err := cl.CreateAccount(authCtx(adminTok), &mciasv1.CreateAccountRequest{ + Username: "newuser", + Password: "securepassword1", + AccountType: "human", + }) + if err != nil { + t.Fatalf("CreateAccount: %v", err) + } + if createResp.Account == nil { + t.Fatal("CreateAccount: returned nil account") + } + if createResp.Account.Id == "" { + t.Error("CreateAccount: returned empty UUID") + } + + // Security: credential fields must not appear in the response. + // The Account proto has no password_hash or totp_secret fields by design. + // Verify via GetAccount too. + getResp, err := cl.GetAccount(authCtx(adminTok), &mciasv1.GetAccountRequest{Id: createResp.Account.Id}) + if err != nil { + t.Fatalf("GetAccount: %v", err) + } + if getResp.Account.Username != "newuser" { + t.Errorf("GetAccount: username=%q, want %q", getResp.Account.Username, "newuser") + } +} + +// TestUpdateAccount verifies that account status can be changed. +func TestUpdateAccount(t *testing.T) { + e := newTestEnv(t) + adminTok, _ := e.issueAdminToken(t, "admin3") + + cl := mciasv1.NewAccountServiceClient(e.conn) + + createResp, err := cl.CreateAccount(authCtx(adminTok), &mciasv1.CreateAccountRequest{ + Username: "updateme", + Password: "pass12345", + AccountType: "human", + }) + if err != nil { + t.Fatalf("CreateAccount: %v", err) + } + id := createResp.Account.Id + + _, err = cl.UpdateAccount(authCtx(adminTok), &mciasv1.UpdateAccountRequest{ + Id: id, + Status: "inactive", + }) + if err != nil { + t.Fatalf("UpdateAccount: %v", err) + } + + getResp, err := cl.GetAccount(authCtx(adminTok), &mciasv1.GetAccountRequest{Id: id}) + if err != nil { + t.Fatalf("GetAccount after update: %v", err) + } + if getResp.Account.Status != "inactive" { + t.Errorf("after update: status=%q, want inactive", getResp.Account.Status) + } +} + +// TestSetAndGetRoles verifies that roles can be assigned and retrieved. +func TestSetAndGetRoles(t *testing.T) { + e := newTestEnv(t) + adminTok, _ := e.issueAdminToken(t, "admin4") + + cl := mciasv1.NewAccountServiceClient(e.conn) + + createResp, err := cl.CreateAccount(authCtx(adminTok), &mciasv1.CreateAccountRequest{ + Username: "roleuser", + Password: "pass12345", + AccountType: "human", + }) + if err != nil { + t.Fatalf("CreateAccount: %v", err) + } + id := createResp.Account.Id + + _, err = cl.SetRoles(authCtx(adminTok), &mciasv1.SetRolesRequest{ + Id: id, + Roles: []string{"editor", "viewer"}, + }) + if err != nil { + t.Fatalf("SetRoles: %v", err) + } + + getRolesResp, err := cl.GetRoles(authCtx(adminTok), &mciasv1.GetRolesRequest{Id: id}) + if err != nil { + t.Fatalf("GetRoles: %v", err) + } + if len(getRolesResp.Roles) != 2 { + t.Errorf("GetRoles: got %d roles, want 2", len(getRolesResp.Roles)) + } +} + +// ---- CredentialService tests ---- + +// TestSetAndGetPGCreds verifies that PG credentials can be stored and retrieved. +// Security: the password is decrypted only in the GetPGCreds response; it is +// never present in account list or other responses. +func TestSetAndGetPGCreds(t *testing.T) { + e := newTestEnv(t) + adminTok, _ := e.issueAdminToken(t, "admin5") + + // Create a system account to hold the PG credentials. + accCl := mciasv1.NewAccountServiceClient(e.conn) + createResp, err := accCl.CreateAccount(authCtx(adminTok), &mciasv1.CreateAccountRequest{ + Username: "sysaccount", + AccountType: "system", + }) + if err != nil { + t.Fatalf("CreateAccount: %v", err) + } + accountID := createResp.Account.Id + + credCl := mciasv1.NewCredentialServiceClient(e.conn) + + _, err = credCl.SetPGCreds(authCtx(adminTok), &mciasv1.SetPGCredsRequest{ + Id: accountID, + Creds: &mciasv1.PGCreds{ + Host: "db.example.com", + Port: 5432, + Database: "mydb", + Username: "myuser", + Password: "supersecret", + }, + }) + if err != nil { + t.Fatalf("SetPGCreds: %v", err) + } + + getResp, err := credCl.GetPGCreds(authCtx(adminTok), &mciasv1.GetPGCredsRequest{Id: accountID}) + if err != nil { + t.Fatalf("GetPGCreds: %v", err) + } + if getResp.Creds == nil { + t.Fatal("GetPGCreds: returned nil creds") + } + if getResp.Creds.Password != "supersecret" { + t.Errorf("GetPGCreds: password=%q, want supersecret", getResp.Creds.Password) + } + if getResp.Creds.Host != "db.example.com" { + t.Errorf("GetPGCreds: host=%q, want db.example.com", getResp.Creds.Host) + } +} + +// TestPGCredsRequireAdmin verifies that non-admin cannot access PG creds. +func TestPGCredsRequireAdmin(t *testing.T) { + e := newTestEnv(t) + acct := e.createHumanAccount(t, "notadmin2") + tok := e.issueUserToken(t, acct) + + cl := mciasv1.NewCredentialServiceClient(e.conn) + _, err := cl.GetPGCreds(authCtx(tok), &mciasv1.GetPGCredsRequest{Id: acct.UUID}) + if err == nil { + t.Fatal("GetPGCreds as non-admin: expected error, got nil") + } + st, _ := status.FromError(err) + if st.Code() != codes.PermissionDenied { + t.Errorf("got code %v, want PermissionDenied", st.Code()) + } +} + +// ---- Security: credential fields absent from responses ---- + +// TestCredentialFieldsAbsentFromAccountResponse verifies that account responses +// never include password_hash or totp_secret fields. The Account proto message +// does not define these fields, providing compile-time enforcement. This test +// provides a runtime confirmation by checking the returned Account struct. +func TestCredentialFieldsAbsentFromAccountResponse(t *testing.T) { + e := newTestEnv(t) + adminTok, _ := e.issueAdminToken(t, "admin6") + + cl := mciasv1.NewAccountServiceClient(e.conn) + resp, err := cl.ListAccounts(authCtx(adminTok), &mciasv1.ListAccountsRequest{}) + if err != nil { + t.Fatalf("ListAccounts: %v", err) + } + for _, a := range resp.Accounts { + // Account proto only has: id, username, account_type, status, + // totp_enabled, created_at, updated_at. No credential fields. + // This loop body intentionally checks the fields that exist; + // the absence of credential fields is enforced by the proto definition. + if a.Id == "" { + t.Error("account has empty id") + } + } +} diff --git a/internal/grpcserver/tokenservice.go b/internal/grpcserver/tokenservice.go new file mode 100644 index 0000000..23c20b2 --- /dev/null +++ b/internal/grpcserver/tokenservice.go @@ -0,0 +1,122 @@ +// tokenServiceServer implements mciasv1.TokenServiceServer. +package grpcserver + +import ( + "context" + "fmt" + + "google.golang.org/grpc/codes" + "google.golang.org/grpc/status" + "google.golang.org/protobuf/types/known/timestamppb" + + "git.wntrmute.dev/kyle/mcias/internal/db" + "git.wntrmute.dev/kyle/mcias/internal/model" + "git.wntrmute.dev/kyle/mcias/internal/token" + mciasv1 "git.wntrmute.dev/kyle/mcias/gen/mcias/v1" +) + +type tokenServiceServer struct { + mciasv1.UnimplementedTokenServiceServer + s *Server +} + +// ValidateToken validates a JWT and returns its claims. +// Public RPC — no auth required. +// +// Security: Always returns a valid=false response on any error; never +// exposes which specific validation step failed. +func (t *tokenServiceServer) ValidateToken(_ context.Context, req *mciasv1.ValidateTokenRequest) (*mciasv1.ValidateTokenResponse, error) { + tokenStr := req.Token + if tokenStr == "" { + return &mciasv1.ValidateTokenResponse{Valid: false}, nil + } + + claims, err := token.ValidateToken(t.s.pubKey, tokenStr, t.s.cfg.Tokens.Issuer) + if err != nil { + return &mciasv1.ValidateTokenResponse{Valid: false}, nil + } + + rec, err := t.s.db.GetTokenRecord(claims.JTI) + if err != nil || rec.IsRevoked() { + return &mciasv1.ValidateTokenResponse{Valid: false}, nil + } + + return &mciasv1.ValidateTokenResponse{ + Valid: true, + Subject: claims.Subject, + Roles: claims.Roles, + ExpiresAt: timestamppb.New(claims.ExpiresAt), + }, nil +} + +// IssueServiceToken issues a token for a system account. Admin only. +func (ts *tokenServiceServer) IssueServiceToken(ctx context.Context, req *mciasv1.IssueServiceTokenRequest) (*mciasv1.IssueServiceTokenResponse, error) { + if err := ts.s.requireAdmin(ctx); err != nil { + return nil, err + } + if req.AccountId == "" { + return nil, status.Error(codes.InvalidArgument, "account_id is required") + } + + acct, err := ts.s.db.GetAccountByUUID(req.AccountId) + if err != nil { + return nil, status.Error(codes.NotFound, "account not found") + } + if acct.AccountType != model.AccountTypeSystem { + return nil, status.Error(codes.InvalidArgument, "token issue is only for system accounts") + } + + tokenStr, claims, err := token.IssueToken(ts.s.privKey, ts.s.cfg.Tokens.Issuer, acct.UUID, nil, ts.s.cfg.ServiceExpiry()) + if err != nil { + return nil, status.Error(codes.Internal, "internal error") + } + + // Revoke existing system token if any. + existing, err := ts.s.db.GetSystemToken(acct.ID) + if err == nil && existing != nil { + _ = ts.s.db.RevokeToken(existing.JTI, "rotated") + } + + if err := ts.s.db.TrackToken(claims.JTI, acct.ID, claims.IssuedAt, claims.ExpiresAt); err != nil { + return nil, status.Error(codes.Internal, "internal error") + } + if err := ts.s.db.SetSystemToken(acct.ID, claims.JTI, claims.ExpiresAt); err != nil { + return nil, status.Error(codes.Internal, "internal error") + } + + actorClaims := claimsFromContext(ctx) + var actorID *int64 + if actorClaims != nil { + if a, err := ts.s.db.GetAccountByUUID(actorClaims.Subject); err == nil { + actorID = &a.ID + } + } + ts.s.db.WriteAuditEvent(model.EventTokenIssued, actorID, &acct.ID, peerIP(ctx), //nolint:errcheck + fmt.Sprintf(`{"jti":%q}`, claims.JTI)) + + return &mciasv1.IssueServiceTokenResponse{ + Token: tokenStr, + ExpiresAt: timestamppb.New(claims.ExpiresAt), + }, nil +} + +// RevokeToken revokes a token by JTI. Admin only. +func (ts *tokenServiceServer) RevokeToken(ctx context.Context, req *mciasv1.RevokeTokenRequest) (*mciasv1.RevokeTokenResponse, error) { + if err := ts.s.requireAdmin(ctx); err != nil { + return nil, err + } + if req.Jti == "" { + return nil, status.Error(codes.InvalidArgument, "jti is required") + } + + if err := ts.s.db.RevokeToken(req.Jti, "admin revocation"); err != nil { + if err == db.ErrNotFound { + return nil, status.Error(codes.NotFound, "token not found or already revoked") + } + return nil, status.Error(codes.Internal, "internal error") + } + + ts.s.db.WriteAuditEvent(model.EventTokenRevoked, nil, nil, peerIP(ctx), //nolint:errcheck + fmt.Sprintf(`{"jti":%q}`, req.Jti)) + return &mciasv1.RevokeTokenResponse{}, nil +} diff --git a/proto/generate.go b/proto/generate.go new file mode 100644 index 0000000..8b1ffb3 --- /dev/null +++ b/proto/generate.go @@ -0,0 +1,10 @@ +// Package proto contains the protobuf source definitions for MCIAS. +// +// To regenerate Go stubs after editing .proto files: +// +// go generate ./proto/... +// +// Prerequisites: protoc, protoc-gen-go, protoc-gen-go-grpc must be in PATH. +// +//go:generate protoc --proto_path=../proto --go_out=../gen --go_opt=paths=source_relative --go-grpc_out=../gen --go-grpc_opt=paths=source_relative mcias/v1/common.proto mcias/v1/admin.proto mcias/v1/auth.proto mcias/v1/token.proto mcias/v1/account.proto +package proto diff --git a/proto/mcias/v1/account.proto b/proto/mcias/v1/account.proto new file mode 100644 index 0000000..1324d48 --- /dev/null +++ b/proto/mcias/v1/account.proto @@ -0,0 +1,119 @@ +// AccountService: account and role CRUD. All RPCs require admin role. +// CredentialService: Postgres credential management. +syntax = "proto3"; + +package mcias.v1; + +option go_package = "git.wntrmute.dev/kyle/mcias/gen/mcias/v1;mciasv1"; + +import "mcias/v1/common.proto"; + +// --- Account CRUD --- + +// ListAccountsRequest carries no parameters. +message ListAccountsRequest {} + +// ListAccountsResponse returns all accounts. Credential fields are absent. +message ListAccountsResponse { + repeated Account accounts = 1; +} + +// CreateAccountRequest specifies a new account to create. +message CreateAccountRequest { + string username = 1; + string password = 2; // required for human accounts; security: never logged + string account_type = 3; // "human" or "system" +} + +// CreateAccountResponse returns the created account record. +message CreateAccountResponse { + Account account = 1; +} + +// GetAccountRequest identifies an account by UUID. +message GetAccountRequest { + string id = 1; // UUID +} + +// GetAccountResponse returns the account record. +message GetAccountResponse { + Account account = 1; +} + +// UpdateAccountRequest updates mutable fields. Only non-empty fields are applied. +message UpdateAccountRequest { + string id = 1; // UUID + string status = 2; // "active" or "inactive" (omit to leave unchanged) +} + +// UpdateAccountResponse confirms the update. +message UpdateAccountResponse {} + +// DeleteAccountRequest soft-deletes an account and revokes its tokens. +message DeleteAccountRequest { + string id = 1; // UUID +} + +// DeleteAccountResponse confirms deletion. +message DeleteAccountResponse {} + +// --- Role management --- + +// GetRolesRequest identifies an account by UUID. +message GetRolesRequest { + string id = 1; // UUID +} + +// GetRolesResponse lists the current roles. +message GetRolesResponse { + repeated string roles = 1; +} + +// SetRolesRequest replaces the role set for an account. +message SetRolesRequest { + string id = 1; // UUID + repeated string roles = 2; +} + +// SetRolesResponse confirms the update. +message SetRolesResponse {} + +// AccountService manages accounts and roles. All RPCs require admin role. +service AccountService { + rpc ListAccounts(ListAccountsRequest) returns (ListAccountsResponse); + rpc CreateAccount(CreateAccountRequest) returns (CreateAccountResponse); + rpc GetAccount(GetAccountRequest) returns (GetAccountResponse); + rpc UpdateAccount(UpdateAccountRequest) returns (UpdateAccountResponse); + rpc DeleteAccount(DeleteAccountRequest) returns (DeleteAccountResponse); + rpc GetRoles(GetRolesRequest) returns (GetRolesResponse); + rpc SetRoles(SetRolesRequest) returns (SetRolesResponse); +} + +// --- PG credentials --- + +// GetPGCredsRequest identifies an account by UUID. +message GetPGCredsRequest { + string id = 1; // UUID +} + +// GetPGCredsResponse returns decrypted Postgres credentials. +// Security: password is present only in this response; never in list output. +message GetPGCredsResponse { + PGCreds creds = 1; +} + +// SetPGCredsRequest stores Postgres credentials for an account. +message SetPGCredsRequest { + string id = 1; // UUID + PGCreds creds = 2; +} + +// SetPGCredsResponse confirms the update. +message SetPGCredsResponse {} + +// CredentialService manages Postgres credentials for system accounts. +// All RPCs require admin role. +service CredentialService { + rpc GetPGCreds(GetPGCredsRequest) returns (GetPGCredsResponse); + rpc SetPGCreds(SetPGCredsRequest) returns (SetPGCredsResponse); +} diff --git a/proto/mcias/v1/admin.proto b/proto/mcias/v1/admin.proto new file mode 100644 index 0000000..ff76661 --- /dev/null +++ b/proto/mcias/v1/admin.proto @@ -0,0 +1,38 @@ +// AdminService: health check and public-key retrieval. +// These RPCs are public — no authentication is required. +syntax = "proto3"; + +package mcias.v1; + +option go_package = "git.wntrmute.dev/kyle/mcias/gen/mcias/v1;mciasv1"; + +// HealthRequest carries no parameters. +message HealthRequest {} + +// HealthResponse confirms the server is operational. +message HealthResponse { + string status = 1; // "ok" +} + +// GetPublicKeyRequest carries no parameters. +message GetPublicKeyRequest {} + +// GetPublicKeyResponse returns the Ed25519 public key in JWK format fields. +// The "x" field is the base64url-encoded 32-byte public key. +message GetPublicKeyResponse { + string kty = 1; // "OKP" + string crv = 2; // "Ed25519" + string use = 3; // "sig" + string alg = 4; // "EdDSA" + string x = 5; // base64url-encoded public key bytes +} + +// AdminService exposes health and key-material endpoints. +// All RPCs bypass the auth interceptor. +service AdminService { + // Health returns OK when the server is operational. + rpc Health(HealthRequest) returns (HealthResponse); + + // GetPublicKey returns the Ed25519 public key used to verify JWTs. + rpc GetPublicKey(GetPublicKeyRequest) returns (GetPublicKeyResponse); +} diff --git a/proto/mcias/v1/auth.proto b/proto/mcias/v1/auth.proto new file mode 100644 index 0000000..48275ed --- /dev/null +++ b/proto/mcias/v1/auth.proto @@ -0,0 +1,99 @@ +// AuthService: login, logout, token renewal, and TOTP management. +syntax = "proto3"; + +package mcias.v1; + +option go_package = "git.wntrmute.dev/kyle/mcias/gen/mcias/v1;mciasv1"; + +import "google/protobuf/timestamp.proto"; + +// --- Login --- + +// LoginRequest carries username/password and an optional TOTP code. +// Security: never logged; password and totp_code must not appear in audit logs. +message LoginRequest { + string username = 1; + string password = 2; // security: never logged or stored + string totp_code = 3; // optional; required if TOTP enrolled +} + +// LoginResponse returns the signed JWT and its expiry time. +// Security: token is a bearer credential; the caller must protect it. +message LoginResponse { + string token = 1; + google.protobuf.Timestamp expires_at = 2; +} + +// --- Logout --- + +// LogoutRequest carries no body; the token is extracted from gRPC metadata. +message LogoutRequest {} + +// LogoutResponse confirms the token has been revoked. +message LogoutResponse {} + +// --- Token renewal --- + +// RenewTokenRequest carries no body; the existing token is in metadata. +message RenewTokenRequest {} + +// RenewTokenResponse returns a new JWT with a fresh expiry. +message RenewTokenResponse { + string token = 1; + google.protobuf.Timestamp expires_at = 2; +} + +// --- TOTP enrollment --- + +// EnrollTOTPRequest carries no body; the acting account is from the JWT. +message EnrollTOTPRequest {} + +// EnrollTOTPResponse returns the TOTP secret and otpauth URI for display. +// Security: the secret is shown once; it is stored only in encrypted form. +message EnrollTOTPResponse { + string secret = 1; // base32-encoded; display once, then discard + string otpauth_uri = 2; +} + +// ConfirmTOTPRequest carries the TOTP code to confirm enrollment. +message ConfirmTOTPRequest { + string code = 1; +} + +// ConfirmTOTPResponse confirms TOTP enrollment is complete. +message ConfirmTOTPResponse {} + +// RemoveTOTPRequest carries the target account ID (admin only). +message RemoveTOTPRequest { + string account_id = 1; // UUID of the account to remove TOTP from +} + +// RemoveTOTPResponse confirms removal. +message RemoveTOTPResponse {} + +// AuthService handles all authentication flows. +service AuthService { + // Login authenticates with username+password (+optional TOTP) and returns a JWT. + // Public RPC — no auth required. + rpc Login(LoginRequest) returns (LoginResponse); + + // Logout revokes the caller's current token. + // Requires: valid JWT in metadata. + rpc Logout(LogoutRequest) returns (LogoutResponse); + + // RenewToken exchanges the caller's token for a fresh one. + // Requires: valid JWT in metadata. + rpc RenewToken(RenewTokenRequest) returns (RenewTokenResponse); + + // EnrollTOTP begins TOTP enrollment for the calling account. + // Requires: valid JWT in metadata. + rpc EnrollTOTP(EnrollTOTPRequest) returns (EnrollTOTPResponse); + + // ConfirmTOTP confirms TOTP enrollment with a code from the authenticator app. + // Requires: valid JWT in metadata. + rpc ConfirmTOTP(ConfirmTOTPRequest) returns (ConfirmTOTPResponse); + + // RemoveTOTP removes TOTP from an account (admin only). + // Requires: admin JWT in metadata. + rpc RemoveTOTP(RemoveTOTPRequest) returns (RemoveTOTPResponse); +} diff --git a/proto/mcias/v1/common.proto b/proto/mcias/v1/common.proto new file mode 100644 index 0000000..44b4037 --- /dev/null +++ b/proto/mcias/v1/common.proto @@ -0,0 +1,45 @@ +// Common message types shared across MCIAS gRPC services. +syntax = "proto3"; + +package mcias.v1; + +option go_package = "git.wntrmute.dev/kyle/mcias/gen/mcias/v1;mciasv1"; + +import "google/protobuf/timestamp.proto"; + +// Account represents a user or service identity. Credential fields +// (password_hash, totp_secret) are never included in any response. +message Account { + string id = 1; // UUID + string username = 2; + string account_type = 3; // "human" or "system" + string status = 4; // "active", "inactive", or "deleted" + bool totp_enabled = 5; + google.protobuf.Timestamp created_at = 6; + google.protobuf.Timestamp updated_at = 7; +} + +// TokenInfo describes an issued token by its JTI (never the raw value). +message TokenInfo { + string jti = 1; + google.protobuf.Timestamp issued_at = 2; + google.protobuf.Timestamp expires_at = 3; + google.protobuf.Timestamp revoked_at = 4; // zero if not revoked +} + +// PGCreds holds Postgres connection details. Password is decrypted and +// present only when explicitly requested via GetPGCreds; it is never +// included in list responses. +message PGCreds { + string host = 1; + string database = 2; + string username = 3; + string password = 4; // security: only populated on explicit get + int32 port = 5; +} + +// Error is the canonical error detail embedded in gRPC status details. +message Error { + string message = 1; + string code = 2; +} diff --git a/proto/mcias/v1/token.proto b/proto/mcias/v1/token.proto new file mode 100644 index 0000000..354705c --- /dev/null +++ b/proto/mcias/v1/token.proto @@ -0,0 +1,63 @@ +// TokenService: token validation, service-token issuance, and revocation. +syntax = "proto3"; + +package mcias.v1; + +option go_package = "git.wntrmute.dev/kyle/mcias/gen/mcias/v1;mciasv1"; + +import "google/protobuf/timestamp.proto"; + +// --- Validate --- + +// ValidateTokenRequest carries the token to validate. +// The token may also be supplied via the Authorization metadata key; +// this field is an alternative for callers that cannot set metadata. +message ValidateTokenRequest { + string token = 1; +} + +// ValidateTokenResponse reports validity and, on success, the claims. +message ValidateTokenResponse { + bool valid = 1; + string subject = 2; // UUID of the account; empty if invalid + repeated string roles = 3; + google.protobuf.Timestamp expires_at = 4; +} + +// --- Issue --- + +// IssueServiceTokenRequest specifies the system account to issue a token for. +message IssueServiceTokenRequest { + string account_id = 1; // UUID of the system account +} + +// IssueServiceTokenResponse returns the new token and its expiry. +message IssueServiceTokenResponse { + string token = 1; + google.protobuf.Timestamp expires_at = 2; +} + +// --- Revoke --- + +// RevokeTokenRequest specifies the JTI to revoke. +message RevokeTokenRequest { + string jti = 1; +} + +// RevokeTokenResponse confirms revocation. +message RevokeTokenResponse {} + +// TokenService manages token lifecycle. +service TokenService { + // ValidateToken checks whether a JWT is valid and returns its claims. + // Public RPC — no auth required. + rpc ValidateToken(ValidateTokenRequest) returns (ValidateTokenResponse); + + // IssueServiceToken issues a new service token for a system account. + // Requires: admin JWT in metadata. + rpc IssueServiceToken(IssueServiceTokenRequest) returns (IssueServiceTokenResponse); + + // RevokeToken revokes a token by JTI. + // Requires: admin JWT in metadata. + rpc RevokeToken(RevokeTokenRequest) returns (RevokeTokenResponse); +}