Implement Phase 7: gRPC dual-stack interface

- proto/mcias/v1/: AdminService, AuthService, TokenService, AccountService, CredentialService; generated Go stubs in gen/ - internal/grpcserver: full handler implementations sharing all business logic (auth, token, db, crypto) with REST server; interceptor chain: logging -> auth (JWT alg-first + revocation) -> rate-limit (token bucket, 10 req/s, burst 10, per-IP) - internal/config: optional grpc_addr field in [server] section - cmd/mciassrv: dual-stack startup; gRPC/TLS listener on grpc_addr when configured; graceful shutdown of both servers in 15s window - cmd/mciasgrpcctl: companion gRPC CLI mirroring mciasctl commands (health, pubkey, account, role, token, pgcreds) using TLS with optional custom CA cert - internal/grpcserver/grpcserver_test.go: 20 tests via bufconn covering public RPCs, auth interceptor (no token, invalid, revoked -> 401), non-admin -> 403, Login/Logout/RenewToken/ValidateToken flows, AccountService CRUD, SetPGCreds/GetPGCreds AES-GCM round-trip, credential fields absent from all responses Security: JWT validation path identical to REST: alg header checked before signature, alg:none rejected, revocation table checked after sig. Authorization metadata value never logged by any interceptor. Credential fields (PasswordHash, TOTPSecret*, PGPassword) absent from all proto response messages — enforced by proto design and confirmed by test TestCredentialFieldsAbsentFromAccountResponse. Login dummy-Argon2 timing guard preserves timing uniformity for unknown users (same as REST handleLogin). TLS required at listener level; cmd/mciassrv uses credentials.NewServerTLSFromFile; no h2c offered. 137 tests pass, zero race conditions (go test -race ./...)
2026-03-11 14:38:47 -07:00
parent 094741b56d
commit 59d51a1d38
38 changed files with 9132 additions and 10 deletions
--- a/cmd/mciasdb/role.go
+++ b/cmd/mciasdb/role.go
@@ -0,0 +1,112 @@
+package main
+
+import (
+	"flag"
+	"fmt"
+	"os"
+	"strings"
+)
+
+func (t *tool) runRole(args []string) {
+	if len(args) == 0 {
+		fatalf("role requires a subcommand: list, grant, revoke")
+	}
+	switch args[0] {
+	case "list":
+		t.roleList(args[1:])
+	case "grant":
+		t.roleGrant(args[1:])
+	case "revoke":
+		t.roleRevoke(args[1:])
+	default:
+		fatalf("unknown role subcommand %q", args[0])
+	}
+}
+
+func (t *tool) roleList(args []string) {
+	fs := flag.NewFlagSet("role list", flag.ExitOnError)
+	id := fs.String("id", "", "account UUID (required)")
+	_ = fs.Parse(args)
+
+	if *id == "" {
+		fatalf("role list: --id is required")
+	}
+
+	a, err := t.db.GetAccountByUUID(*id)
+	if err != nil {
+		fatalf("get account: %v", err)
+	}
+
+	roles, err := t.db.GetRoles(a.ID)
+	if err != nil {
+		fatalf("get roles: %v", err)
+	}
+
+	if len(roles) == 0 {
+		fmt.Printf("account %s has no roles\n", a.Username)
+		return
+	}
+	fmt.Printf("roles for %s (%s):\n", a.Username, a.UUID)
+	for _, r := range roles {
+		fmt.Printf("  %s\n", r)
+	}
+}
+
+func (t *tool) roleGrant(args []string) {
+	fs := flag.NewFlagSet("role grant", flag.ExitOnError)
+	id := fs.String("id", "", "account UUID (required)")
+	role := fs.String("role", "", "role to grant (required)")
+	_ = fs.Parse(args)
+
+	if *id == "" {
+		fatalf("role grant: --id is required")
+	}
+	if *role == "" {
+		fatalf("role grant: --role is required")
+	}
+	*role = strings.TrimSpace(*role)
+
+	a, err := t.db.GetAccountByUUID(*id)
+	if err != nil {
+		fatalf("get account: %v", err)
+	}
+
+	if err := t.db.GrantRole(a.ID, *role, nil); err != nil {
+		fatalf("grant role: %v", err)
+	}
+
+	if err := t.db.WriteAuditEvent("role_granted", nil, &a.ID, "", fmt.Sprintf(`{"actor":"mciasdb","role":%q}`, *role)); err != nil {
+		fmt.Fprintf(os.Stderr, "warning: write audit event: %v\n", err)
+	}
+
+	fmt.Printf("granted role %q to account %s\n", *role, a.Username)
+}
+
+func (t *tool) roleRevoke(args []string) {
+	fs := flag.NewFlagSet("role revoke", flag.ExitOnError)
+	id := fs.String("id", "", "account UUID (required)")
+	role := fs.String("role", "", "role to revoke (required)")
+	_ = fs.Parse(args)
+
+	if *id == "" {
+		fatalf("role revoke: --id is required")
+	}
+	if *role == "" {
+		fatalf("role revoke: --role is required")
+	}
+
+	a, err := t.db.GetAccountByUUID(*id)
+	if err != nil {
+		fatalf("get account: %v", err)
+	}
+
+	if err := t.db.RevokeRole(a.ID, *role); err != nil {
+		fatalf("revoke role: %v", err)
+	}
+
+	if err := t.db.WriteAuditEvent("role_revoked", nil, &a.ID, "", fmt.Sprintf(`{"actor":"mciasdb","role":%q}`, *role)); err != nil {
+		fmt.Fprintf(os.Stderr, "warning: write audit event: %v\n", err)
+	}
+
+	fmt.Printf("revoked role %q from account %s\n", *role, a.Username)
+}