Kyle Isom
59d51a1d38
- proto/mcias/v1/: AdminService, AuthService, TokenService, AccountService, CredentialService; generated Go stubs in gen/ - internal/grpcserver: full handler implementations sharing all business logic (auth, token, db, crypto) with REST server; interceptor chain: logging -> auth (JWT alg-first + revocation) -> rate-limit (token bucket, 10 req/s, burst 10, per-IP) - internal/config: optional grpc_addr field in [server] section - cmd/mciassrv: dual-stack startup; gRPC/TLS listener on grpc_addr when configured; graceful shutdown of both servers in 15s window - cmd/mciasgrpcctl: companion gRPC CLI mirroring mciasctl commands (health, pubkey, account, role, token, pgcreds) using TLS with optional custom CA cert - internal/grpcserver/grpcserver_test.go: 20 tests via bufconn covering public RPCs, auth interceptor (no token, invalid, revoked -> 401), non-admin -> 403, Login/Logout/RenewToken/ValidateToken flows, AccountService CRUD, SetPGCreds/GetPGCreds AES-GCM round-trip, credential fields absent from all responses Security: JWT validation path identical to REST: alg header checked before signature, alg:none rejected, revocation table checked after sig. Authorization metadata value never logged by any interceptor. Credential fields (PasswordHash, TOTPSecret*, PGPassword) absent from all proto response messages — enforced by proto design and confirmed by test TestCredentialFieldsAbsentFromAccountResponse. Login dummy-Argon2 timing guard preserves timing uniformity for unknown users (same as REST handleLogin). TLS required at listener level; cmd/mciassrv uses credentials.NewServerTLSFromFile; no h2c offered. 137 tests pass, zero race conditions (go test -race ./...)
243 lines
6.9 KiB
Go
243 lines
6.9 KiB
Go
// Command mciasdb is the MCIAS database maintenance tool.
|
|
//
|
|
// It operates directly on the SQLite file, bypassing the mciassrv API.
|
|
// Use it for break-glass recovery, offline inspection, schema verification,
|
|
// and maintenance tasks when the server is unavailable.
|
|
//
|
|
// mciasdb requires the same master key configuration as mciassrv (passphrase
|
|
// environment variable or keyfile) to decrypt secrets at rest.
|
|
//
|
|
// Usage:
|
|
//
|
|
// mciasdb --config /etc/mcias/mcias.toml <command> [subcommand] [flags]
|
|
//
|
|
// Commands:
|
|
//
|
|
// schema verify
|
|
// schema migrate
|
|
//
|
|
// account list
|
|
// account get --id UUID
|
|
// account create --username NAME --type human|system
|
|
// account set-password --id UUID
|
|
// account set-status --id UUID --status active|inactive|deleted
|
|
// account reset-totp --id UUID
|
|
//
|
|
// role list --id UUID
|
|
// role grant --id UUID --role ROLE
|
|
// role revoke --id UUID --role ROLE
|
|
//
|
|
// token list --id UUID
|
|
// token revoke --jti JTI
|
|
// token revoke-all --id UUID
|
|
//
|
|
// prune tokens
|
|
//
|
|
// audit tail [--n N]
|
|
// audit query [--account UUID] [--type TYPE] [--since RFC3339] [--json]
|
|
//
|
|
// pgcreds get --id UUID
|
|
// pgcreds set --id UUID --host H --port P --db D --user U
|
|
package main
|
|
|
|
import (
|
|
"errors"
|
|
"flag"
|
|
"fmt"
|
|
"os"
|
|
|
|
"git.wntrmute.dev/kyle/mcias/internal/config"
|
|
"git.wntrmute.dev/kyle/mcias/internal/crypto"
|
|
"git.wntrmute.dev/kyle/mcias/internal/db"
|
|
)
|
|
|
|
func main() {
|
|
configPath := flag.String("config", "mcias.toml", "path to TOML configuration file")
|
|
flag.Usage = usage
|
|
flag.Parse()
|
|
|
|
args := flag.Args()
|
|
if len(args) == 0 {
|
|
usage()
|
|
os.Exit(1)
|
|
}
|
|
|
|
database, masterKey, err := openDB(*configPath)
|
|
if err != nil {
|
|
fatalf("%v", err)
|
|
}
|
|
defer func() {
|
|
_ = database.Close()
|
|
// Zero the master key when done to reduce the window of in-memory exposure.
|
|
for i := range masterKey {
|
|
masterKey[i] = 0
|
|
}
|
|
}()
|
|
|
|
tool := &tool{db: database, masterKey: masterKey}
|
|
|
|
command := args[0]
|
|
subArgs := args[1:]
|
|
|
|
switch command {
|
|
case "schema":
|
|
tool.runSchema(subArgs)
|
|
case "account":
|
|
tool.runAccount(subArgs)
|
|
case "role":
|
|
tool.runRole(subArgs)
|
|
case "token":
|
|
tool.runToken(subArgs)
|
|
case "prune":
|
|
tool.runPrune(subArgs)
|
|
case "audit":
|
|
tool.runAudit(subArgs)
|
|
case "pgcreds":
|
|
tool.runPGCreds(subArgs)
|
|
default:
|
|
fatalf("unknown command %q; run with no args for usage", command)
|
|
}
|
|
}
|
|
|
|
// tool holds shared state for all subcommand handlers.
|
|
type tool struct {
|
|
db *db.DB
|
|
masterKey []byte
|
|
}
|
|
|
|
// openDB loads the config, derives the master key, opens and migrates the DB.
|
|
//
|
|
// Security: Master key derivation uses the same logic as mciassrv so that
|
|
// the same passphrase always yields the same key and encrypted secrets remain
|
|
// readable. The passphrase env var is unset immediately after reading.
|
|
func openDB(configPath string) (*db.DB, []byte, error) {
|
|
cfg, err := config.Load(configPath)
|
|
if err != nil {
|
|
return nil, nil, fmt.Errorf("load config: %w", err)
|
|
}
|
|
|
|
database, err := db.Open(cfg.Database.Path)
|
|
if err != nil {
|
|
return nil, nil, fmt.Errorf("open database %q: %w", cfg.Database.Path, err)
|
|
}
|
|
|
|
if err := db.Migrate(database); err != nil {
|
|
_ = database.Close()
|
|
return nil, nil, fmt.Errorf("migrate database: %w", err)
|
|
}
|
|
|
|
masterKey, err := deriveMasterKey(cfg, database)
|
|
if err != nil {
|
|
_ = database.Close()
|
|
return nil, nil, fmt.Errorf("derive master key: %w", err)
|
|
}
|
|
|
|
return database, masterKey, nil
|
|
}
|
|
|
|
// deriveMasterKey derives or loads the AES-256-GCM master key from config,
|
|
// using identical logic to mciassrv so that encrypted DB secrets are readable.
|
|
//
|
|
// Security: Key file must be exactly 32 bytes (AES-256). Passphrase is read
|
|
// from the environment variable named in cfg.MasterKey.PassphraseEnv and
|
|
// cleared from the environment immediately after. The Argon2id KDF salt is
|
|
// loaded from the database; if absent the DB has no encrypted secrets yet.
|
|
func deriveMasterKey(cfg *config.Config, database *db.DB) ([]byte, error) {
|
|
if cfg.MasterKey.KeyFile != "" {
|
|
data, err := os.ReadFile(cfg.MasterKey.KeyFile)
|
|
if err != nil {
|
|
return nil, fmt.Errorf("read key file: %w", err)
|
|
}
|
|
if len(data) != 32 {
|
|
return nil, fmt.Errorf("key file must be exactly 32 bytes, got %d", len(data))
|
|
}
|
|
key := make([]byte, 32)
|
|
copy(key, data)
|
|
for i := range data {
|
|
data[i] = 0
|
|
}
|
|
return key, nil
|
|
}
|
|
|
|
passphrase := os.Getenv(cfg.MasterKey.PassphraseEnv)
|
|
if passphrase == "" {
|
|
return nil, fmt.Errorf("environment variable %q is not set or empty", cfg.MasterKey.PassphraseEnv)
|
|
}
|
|
_ = os.Unsetenv(cfg.MasterKey.PassphraseEnv)
|
|
|
|
salt, err := database.ReadMasterKeySalt()
|
|
if errors.Is(err, db.ErrNotFound) {
|
|
// No salt means the database has no encrypted secrets yet.
|
|
// Generate a new salt so future writes are consistent.
|
|
salt, err = crypto.NewSalt()
|
|
if err != nil {
|
|
return nil, fmt.Errorf("generate master key salt: %w", err)
|
|
}
|
|
if err := database.WriteMasterKeySalt(salt); err != nil {
|
|
return nil, fmt.Errorf("store master key salt: %w", err)
|
|
}
|
|
} else if err != nil {
|
|
return nil, fmt.Errorf("read master key salt: %w", err)
|
|
}
|
|
|
|
key, err := crypto.DeriveKey(passphrase, salt)
|
|
if err != nil {
|
|
return nil, fmt.Errorf("derive master key: %w", err)
|
|
}
|
|
return key, nil
|
|
}
|
|
|
|
// fatalf prints an error message to stderr and exits with code 1.
|
|
func fatalf(format string, args ...interface{}) {
|
|
fmt.Fprintf(os.Stderr, "mciasdb: "+format+"\n", args...)
|
|
os.Exit(1)
|
|
}
|
|
|
|
// exitCode1 exits with code 1 without printing any message.
|
|
// Used when the message has already been printed.
|
|
func exitCode1() {
|
|
os.Exit(1)
|
|
}
|
|
|
|
func usage() {
|
|
fmt.Fprint(os.Stderr, `mciasdb - MCIAS database maintenance tool
|
|
|
|
Usage: mciasdb --config PATH <command> [subcommand] [flags]
|
|
|
|
Global flags:
|
|
--config Path to TOML config file (default: mcias.toml)
|
|
|
|
Commands:
|
|
schema verify Check schema version; exit 1 if migrations pending
|
|
schema migrate Apply any pending schema migrations
|
|
|
|
account list List all accounts
|
|
account get --id UUID
|
|
account create --username NAME --type human|system
|
|
account set-password --id UUID (prompts interactively)
|
|
account set-status --id UUID --status active|inactive|deleted
|
|
account reset-totp --id UUID
|
|
|
|
role list --id UUID
|
|
role grant --id UUID --role ROLE
|
|
role revoke --id UUID --role ROLE
|
|
|
|
token list --id UUID
|
|
token revoke --jti JTI
|
|
token revoke-all --id UUID
|
|
|
|
prune tokens Delete expired token_revocation rows
|
|
|
|
audit tail [--n N] (default 50)
|
|
audit query [--account UUID] [--type TYPE] [--since RFC3339] [--json]
|
|
|
|
pgcreds get --id UUID
|
|
pgcreds set --id UUID --host H [--port P] --db D --user U
|
|
(password is prompted interactively)
|
|
|
|
NOTE: mciasdb bypasses the mciassrv API and operates directly on the SQLite
|
|
file. Use it only when the server is unavailable or for break-glass recovery.
|
|
All write operations are recorded in the audit log.
|
|
`)
|
|
}
|