Implement Phase 7: gRPC dual-stack interface
- proto/mcias/v1/: AdminService, AuthService, TokenService, AccountService, CredentialService; generated Go stubs in gen/ - internal/grpcserver: full handler implementations sharing all business logic (auth, token, db, crypto) with REST server; interceptor chain: logging -> auth (JWT alg-first + revocation) -> rate-limit (token bucket, 10 req/s, burst 10, per-IP) - internal/config: optional grpc_addr field in [server] section - cmd/mciassrv: dual-stack startup; gRPC/TLS listener on grpc_addr when configured; graceful shutdown of both servers in 15s window - cmd/mciasgrpcctl: companion gRPC CLI mirroring mciasctl commands (health, pubkey, account, role, token, pgcreds) using TLS with optional custom CA cert - internal/grpcserver/grpcserver_test.go: 20 tests via bufconn covering public RPCs, auth interceptor (no token, invalid, revoked -> 401), non-admin -> 403, Login/Logout/RenewToken/ValidateToken flows, AccountService CRUD, SetPGCreds/GetPGCreds AES-GCM round-trip, credential fields absent from all responses Security: JWT validation path identical to REST: alg header checked before signature, alg:none rejected, revocation table checked after sig. Authorization metadata value never logged by any interceptor. Credential fields (PasswordHash, TOTPSecret*, PGPassword) absent from all proto response messages — enforced by proto design and confirmed by test TestCredentialFieldsAbsentFromAccountResponse. Login dummy-Argon2 timing guard preserves timing uniformity for unknown users (same as REST handleLogin). TLS required at listener level; cmd/mciassrv uses credentials.NewServerTLSFromFile; no h2c offered. 137 tests pass, zero race conditions (go test -race ./...)
This commit is contained in:
99
proto/mcias/v1/auth.proto
Normal file
99
proto/mcias/v1/auth.proto
Normal file
@@ -0,0 +1,99 @@
|
||||
// AuthService: login, logout, token renewal, and TOTP management.
|
||||
syntax = "proto3";
|
||||
|
||||
package mcias.v1;
|
||||
|
||||
option go_package = "git.wntrmute.dev/kyle/mcias/gen/mcias/v1;mciasv1";
|
||||
|
||||
import "google/protobuf/timestamp.proto";
|
||||
|
||||
// --- Login ---
|
||||
|
||||
// LoginRequest carries username/password and an optional TOTP code.
|
||||
// Security: never logged; password and totp_code must not appear in audit logs.
|
||||
message LoginRequest {
|
||||
string username = 1;
|
||||
string password = 2; // security: never logged or stored
|
||||
string totp_code = 3; // optional; required if TOTP enrolled
|
||||
}
|
||||
|
||||
// LoginResponse returns the signed JWT and its expiry time.
|
||||
// Security: token is a bearer credential; the caller must protect it.
|
||||
message LoginResponse {
|
||||
string token = 1;
|
||||
google.protobuf.Timestamp expires_at = 2;
|
||||
}
|
||||
|
||||
// --- Logout ---
|
||||
|
||||
// LogoutRequest carries no body; the token is extracted from gRPC metadata.
|
||||
message LogoutRequest {}
|
||||
|
||||
// LogoutResponse confirms the token has been revoked.
|
||||
message LogoutResponse {}
|
||||
|
||||
// --- Token renewal ---
|
||||
|
||||
// RenewTokenRequest carries no body; the existing token is in metadata.
|
||||
message RenewTokenRequest {}
|
||||
|
||||
// RenewTokenResponse returns a new JWT with a fresh expiry.
|
||||
message RenewTokenResponse {
|
||||
string token = 1;
|
||||
google.protobuf.Timestamp expires_at = 2;
|
||||
}
|
||||
|
||||
// --- TOTP enrollment ---
|
||||
|
||||
// EnrollTOTPRequest carries no body; the acting account is from the JWT.
|
||||
message EnrollTOTPRequest {}
|
||||
|
||||
// EnrollTOTPResponse returns the TOTP secret and otpauth URI for display.
|
||||
// Security: the secret is shown once; it is stored only in encrypted form.
|
||||
message EnrollTOTPResponse {
|
||||
string secret = 1; // base32-encoded; display once, then discard
|
||||
string otpauth_uri = 2;
|
||||
}
|
||||
|
||||
// ConfirmTOTPRequest carries the TOTP code to confirm enrollment.
|
||||
message ConfirmTOTPRequest {
|
||||
string code = 1;
|
||||
}
|
||||
|
||||
// ConfirmTOTPResponse confirms TOTP enrollment is complete.
|
||||
message ConfirmTOTPResponse {}
|
||||
|
||||
// RemoveTOTPRequest carries the target account ID (admin only).
|
||||
message RemoveTOTPRequest {
|
||||
string account_id = 1; // UUID of the account to remove TOTP from
|
||||
}
|
||||
|
||||
// RemoveTOTPResponse confirms removal.
|
||||
message RemoveTOTPResponse {}
|
||||
|
||||
// AuthService handles all authentication flows.
|
||||
service AuthService {
|
||||
// Login authenticates with username+password (+optional TOTP) and returns a JWT.
|
||||
// Public RPC — no auth required.
|
||||
rpc Login(LoginRequest) returns (LoginResponse);
|
||||
|
||||
// Logout revokes the caller's current token.
|
||||
// Requires: valid JWT in metadata.
|
||||
rpc Logout(LogoutRequest) returns (LogoutResponse);
|
||||
|
||||
// RenewToken exchanges the caller's token for a fresh one.
|
||||
// Requires: valid JWT in metadata.
|
||||
rpc RenewToken(RenewTokenRequest) returns (RenewTokenResponse);
|
||||
|
||||
// EnrollTOTP begins TOTP enrollment for the calling account.
|
||||
// Requires: valid JWT in metadata.
|
||||
rpc EnrollTOTP(EnrollTOTPRequest) returns (EnrollTOTPResponse);
|
||||
|
||||
// ConfirmTOTP confirms TOTP enrollment with a code from the authenticator app.
|
||||
// Requires: valid JWT in metadata.
|
||||
rpc ConfirmTOTP(ConfirmTOTPRequest) returns (ConfirmTOTPResponse);
|
||||
|
||||
// RemoveTOTP removes TOTP from an account (admin only).
|
||||
// Requires: admin JWT in metadata.
|
||||
rpc RemoveTOTP(RemoveTOTPRequest) returns (RemoveTOTPResponse);
|
||||
}
|
||||
Reference in New Issue
Block a user