kyle/mcias
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity
Files
7db560dae49001aaacb97b4fb6ef1ec426e38931
mcias/web/templates/account_detail.html
Kyle Isom d4e8ef90ee Add policy-based authz and token delegation 
- Replace requireAdmin (role-based) guards on all REST endpoints
  with RequirePolicy middleware backed by the existing policy engine;
  built-in admin wildcard rule (-1) preserves existing admin behaviour
  while operator rules can now grant targeted access to non-admin
  accounts (e.g. a system account allowed to list accounts)
- Wire policy engine into Server: loaded from DB at startup,
  reloaded after every policy-rule create/update/delete so changes
  take effect immediately without a server restart
- Add service_account_delegates table (migration 000008) so a human
  account can be delegated permission to issue tokens for a specific
  system account without holding the admin role
- Add token-download nonce mechanism: a short-lived (5 min),
  single-use random nonce is stored server-side after token issuance;
  the browser downloads the token as a file via
  GET /token/download/{nonce} (Content-Disposition: attachment)
  instead of copying from a flash message
- Add /service-accounts UI page for non-admin delegates
- Add TestPolicyEnforcement and TestPolicyDenyRule integration tests

Security:
- Policy engine uses deny-wins, default-deny semantics; admin wildcard
  is a compiled-in built-in and cannot be deleted via the API
- Token download nonces are 128-bit crypto/rand values, single-use,
  and expire after 5 minutes; a background goroutine evicts stale entries
- alg header validation and Ed25519 signing unchanged

Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
2026-03-15 14:40:16 -07:00

63 lines
2.6 KiB
HTML
Raw Blame History

{{define "account_detail"}}{{template "base" .}}{{end}}
{{define "title"}}{{.Account.Username}} — MCIAS{{end}}
{{define "content"}}
<div class="page-header d-flex align-center justify-between">
<div>
<h1>{{.Account.Username}}</h1>
<p class="text-muted text-small">{{.Account.UUID}}</p>
</div>
<a class="btn btn-secondary" href="/accounts">← Accounts</a>
</div>
<div class="card">
<h2 style="font-size:1rem;font-weight:600;margin-bottom:1rem">Account Info</h2>
<dl style="display:grid;grid-template-columns:140px 1fr;gap:.5rem .75rem;font-size:.9rem">
<dt class="text-muted">Type</dt><dd>{{.Account.AccountType}}</dd>
<dt class="text-muted">Status</dt>
<dd id="status-cell">{{template "account_status" .}}</dd>
<dt class="text-muted">TOTP</dt><dd>{{if .Account.TOTPRequired}}Enabled{{else}}Disabled{{end}}</dd>
<dt class="text-muted">Created</dt><dd class="text-small">{{formatTime .Account.CreatedAt}}</dd>
<dt class="text-muted">Updated</dt><dd class="text-small">{{formatTime .Account.UpdatedAt}}</dd>
</dl>
</div>
<div class="card">
<h2 style="font-size:1rem;font-weight:600;margin-bottom:1rem">Roles</h2>
<div id="roles-editor">{{template "roles_editor" .}}</div>
</div>
<div class="card">
<div class="d-flex align-center justify-between" style="margin-bottom:1rem">
<h2 style="font-size:1rem;font-weight:600">Tokens</h2>
{{if and (eq (string .Account.AccountType) "system") .CanIssueToken}}
<button class="btn btn-sm btn-secondary"
hx-post="/accounts/{{.Account.UUID}}/token"
hx-target="#token-list" hx-swap="outerHTML">Issue Token</button>
{{end}}
</div>
{{template "token_list" .}}
</div>
{{if eq (string .Account.AccountType) "system"}}
<div class="card">
<h2 style="font-size:1rem;font-weight:600;margin-bottom:1rem">Postgres Credentials</h2>
{{template "pgcreds_form" .}}
</div>
<div class="card">
<h2 style="font-size:1rem;font-weight:600;margin-bottom:1rem">Token Issue Access</h2>
<div id="token-delegates-section">{{template "token_delegates" .}}</div>
</div>
{{end}}
<div class="card">
<h2 style="font-size:1rem;font-weight:600;margin-bottom:1rem">Tags</h2>
<div id="tags-editor">{{template "tags_editor" .}}</div>
</div>
{{if eq (string .Account.AccountType) "human"}}
<div class="card">
<h2 style="font-size:1rem;font-weight:600;margin-bottom:1rem">Reset Password</h2>
<p class="text-muted text-small" style="margin-bottom:.75rem">
Set a new password for this account. All active sessions will be revoked.
</p>
<div id="password-reset-section">
{{template "password_reset_form" .}}
</div>
</div>
{{end}}
{{end}}
Reference in New Issue View Git Blame Copy Permalink