Kyle Isom
59d51a1d38
- proto/mcias/v1/: AdminService, AuthService, TokenService, AccountService, CredentialService; generated Go stubs in gen/ - internal/grpcserver: full handler implementations sharing all business logic (auth, token, db, crypto) with REST server; interceptor chain: logging -> auth (JWT alg-first + revocation) -> rate-limit (token bucket, 10 req/s, burst 10, per-IP) - internal/config: optional grpc_addr field in [server] section - cmd/mciassrv: dual-stack startup; gRPC/TLS listener on grpc_addr when configured; graceful shutdown of both servers in 15s window - cmd/mciasgrpcctl: companion gRPC CLI mirroring mciasctl commands (health, pubkey, account, role, token, pgcreds) using TLS with optional custom CA cert - internal/grpcserver/grpcserver_test.go: 20 tests via bufconn covering public RPCs, auth interceptor (no token, invalid, revoked -> 401), non-admin -> 403, Login/Logout/RenewToken/ValidateToken flows, AccountService CRUD, SetPGCreds/GetPGCreds AES-GCM round-trip, credential fields absent from all responses Security: JWT validation path identical to REST: alg header checked before signature, alg:none rejected, revocation table checked after sig. Authorization metadata value never logged by any interceptor. Credential fields (PasswordHash, TOTPSecret*, PGPassword) absent from all proto response messages — enforced by proto design and confirmed by test TestCredentialFieldsAbsentFromAccountResponse. Login dummy-Argon2 timing guard preserves timing uniformity for unknown users (same as REST handleLogin). TLS required at listener level; cmd/mciassrv uses credentials.NewServerTLSFromFile; no h2c offered. 137 tests pass, zero race conditions (go test -race ./...)
108 lines
3.4 KiB
Go
108 lines
3.4 KiB
Go
// credentialServiceServer implements mciasv1.CredentialServiceServer.
|
|
// All RPCs require admin role.
|
|
package grpcserver
|
|
|
|
import (
|
|
"context"
|
|
|
|
"google.golang.org/grpc/codes"
|
|
"google.golang.org/grpc/status"
|
|
|
|
"git.wntrmute.dev/kyle/mcias/internal/crypto"
|
|
"git.wntrmute.dev/kyle/mcias/internal/db"
|
|
"git.wntrmute.dev/kyle/mcias/internal/model"
|
|
mciasv1 "git.wntrmute.dev/kyle/mcias/gen/mcias/v1"
|
|
)
|
|
|
|
type credentialServiceServer struct {
|
|
mciasv1.UnimplementedCredentialServiceServer
|
|
s *Server
|
|
}
|
|
|
|
// GetPGCreds decrypts and returns Postgres credentials. Admin only.
|
|
// Security: the password field is decrypted and returned; this constitutes
|
|
// a sensitive operation. The audit log records the access.
|
|
func (c *credentialServiceServer) GetPGCreds(ctx context.Context, req *mciasv1.GetPGCredsRequest) (*mciasv1.GetPGCredsResponse, error) {
|
|
if err := c.s.requireAdmin(ctx); err != nil {
|
|
return nil, err
|
|
}
|
|
if req.Id == "" {
|
|
return nil, status.Error(codes.InvalidArgument, "id is required")
|
|
}
|
|
acct, err := c.s.db.GetAccountByUUID(req.Id)
|
|
if err != nil {
|
|
if err == db.ErrNotFound {
|
|
return nil, status.Error(codes.NotFound, "account not found")
|
|
}
|
|
return nil, status.Error(codes.Internal, "internal error")
|
|
}
|
|
|
|
cred, err := c.s.db.ReadPGCredentials(acct.ID)
|
|
if err != nil {
|
|
if err == db.ErrNotFound {
|
|
return nil, status.Error(codes.NotFound, "no credentials stored")
|
|
}
|
|
return nil, status.Error(codes.Internal, "internal error")
|
|
}
|
|
|
|
// Decrypt the password for admin retrieval.
|
|
password, err := crypto.OpenAESGCM(c.s.masterKey, cred.PGPasswordNonce, cred.PGPasswordEnc)
|
|
if err != nil {
|
|
return nil, status.Error(codes.Internal, "internal error")
|
|
}
|
|
|
|
c.s.db.WriteAuditEvent(model.EventPGCredAccessed, nil, &acct.ID, peerIP(ctx), "") //nolint:errcheck
|
|
|
|
return &mciasv1.GetPGCredsResponse{
|
|
Creds: &mciasv1.PGCreds{
|
|
Host: cred.PGHost,
|
|
Database: cred.PGDatabase,
|
|
Username: cred.PGUsername,
|
|
Password: string(password), // security: returned only on explicit admin request
|
|
Port: int32(cred.PGPort),
|
|
},
|
|
}, nil
|
|
}
|
|
|
|
// SetPGCreds stores Postgres credentials for an account. Admin only.
|
|
func (c *credentialServiceServer) SetPGCreds(ctx context.Context, req *mciasv1.SetPGCredsRequest) (*mciasv1.SetPGCredsResponse, error) {
|
|
if err := c.s.requireAdmin(ctx); err != nil {
|
|
return nil, err
|
|
}
|
|
if req.Id == "" {
|
|
return nil, status.Error(codes.InvalidArgument, "id is required")
|
|
}
|
|
if req.Creds == nil {
|
|
return nil, status.Error(codes.InvalidArgument, "creds is required")
|
|
}
|
|
|
|
cr := req.Creds
|
|
if cr.Host == "" || cr.Database == "" || cr.Username == "" || cr.Password == "" {
|
|
return nil, status.Error(codes.InvalidArgument, "host, database, username, and password are required")
|
|
}
|
|
port := int(cr.Port)
|
|
if port == 0 {
|
|
port = 5432
|
|
}
|
|
|
|
acct, err := c.s.db.GetAccountByUUID(req.Id)
|
|
if err != nil {
|
|
if err == db.ErrNotFound {
|
|
return nil, status.Error(codes.NotFound, "account not found")
|
|
}
|
|
return nil, status.Error(codes.Internal, "internal error")
|
|
}
|
|
|
|
enc, nonce, err := crypto.SealAESGCM(c.s.masterKey, []byte(cr.Password))
|
|
if err != nil {
|
|
return nil, status.Error(codes.Internal, "internal error")
|
|
}
|
|
|
|
if err := c.s.db.WritePGCredentials(acct.ID, cr.Host, port, cr.Database, cr.Username, enc, nonce); err != nil {
|
|
return nil, status.Error(codes.Internal, "internal error")
|
|
}
|
|
|
|
c.s.db.WriteAuditEvent(model.EventPGCredUpdated, nil, &acct.ID, peerIP(ctx), "") //nolint:errcheck
|
|
return &mciasv1.SetPGCredsResponse{}, nil
|
|
}
|