Kyle Isom
f34e9a69a0
- errorlint: use errors.Is for db.ErrNotFound comparisons in accountservice.go, credentialservice.go, tokenservice.go - gofmt/goimports: move mciasv1 alias into internal import group in auth.go, credentialservice.go, grpcserver.go, grpcserver_test.go - gosec G115: add nolint annotation on int32 port conversions in mciasgrpcctl/main.go and credentialservice.go (port validated as [1,65535] on input; overflow not reachable) - govet fieldalignment: reorder Server, grpcRateLimiter, grpcRateLimitEntry, testEnv structs to reduce GC bitmap size (96 -> 80 pointer bytes each) - ineffassign: remove intermediate grpcSrv = GRPCServer() call in cmd/mciassrv/main.go (immediately overwritten by TLS build) - staticcheck SA9003: replace empty if-body with _ = Serve(lis) in grpcserver_test.go 0 golangci-lint issues; 137 tests pass (go test -race ./...)
109 lines
3.5 KiB
Go
109 lines
3.5 KiB
Go
// credentialServiceServer implements mciasv1.CredentialServiceServer.
|
|
// All RPCs require admin role.
|
|
package grpcserver
|
|
|
|
import (
|
|
"context"
|
|
"errors"
|
|
|
|
"google.golang.org/grpc/codes"
|
|
"google.golang.org/grpc/status"
|
|
|
|
mciasv1 "git.wntrmute.dev/kyle/mcias/gen/mcias/v1"
|
|
"git.wntrmute.dev/kyle/mcias/internal/crypto"
|
|
"git.wntrmute.dev/kyle/mcias/internal/db"
|
|
"git.wntrmute.dev/kyle/mcias/internal/model"
|
|
)
|
|
|
|
type credentialServiceServer struct {
|
|
mciasv1.UnimplementedCredentialServiceServer
|
|
s *Server
|
|
}
|
|
|
|
// GetPGCreds decrypts and returns Postgres credentials. Admin only.
|
|
// Security: the password field is decrypted and returned; this constitutes
|
|
// a sensitive operation. The audit log records the access.
|
|
func (c *credentialServiceServer) GetPGCreds(ctx context.Context, req *mciasv1.GetPGCredsRequest) (*mciasv1.GetPGCredsResponse, error) {
|
|
if err := c.s.requireAdmin(ctx); err != nil {
|
|
return nil, err
|
|
}
|
|
if req.Id == "" {
|
|
return nil, status.Error(codes.InvalidArgument, "id is required")
|
|
}
|
|
acct, err := c.s.db.GetAccountByUUID(req.Id)
|
|
if err != nil {
|
|
if errors.Is(err, db.ErrNotFound) {
|
|
return nil, status.Error(codes.NotFound, "account not found")
|
|
}
|
|
return nil, status.Error(codes.Internal, "internal error")
|
|
}
|
|
|
|
cred, err := c.s.db.ReadPGCredentials(acct.ID)
|
|
if err != nil {
|
|
if errors.Is(err, db.ErrNotFound) {
|
|
return nil, status.Error(codes.NotFound, "no credentials stored")
|
|
}
|
|
return nil, status.Error(codes.Internal, "internal error")
|
|
}
|
|
|
|
// Decrypt the password for admin retrieval.
|
|
password, err := crypto.OpenAESGCM(c.s.masterKey, cred.PGPasswordNonce, cred.PGPasswordEnc)
|
|
if err != nil {
|
|
return nil, status.Error(codes.Internal, "internal error")
|
|
}
|
|
|
|
c.s.db.WriteAuditEvent(model.EventPGCredAccessed, nil, &acct.ID, peerIP(ctx), "") //nolint:errcheck
|
|
|
|
return &mciasv1.GetPGCredsResponse{
|
|
Creds: &mciasv1.PGCreds{
|
|
Host: cred.PGHost,
|
|
Database: cred.PGDatabase,
|
|
Username: cred.PGUsername,
|
|
Password: string(password), // security: returned only on explicit admin request
|
|
Port: int32(cred.PGPort), //nolint:gosec // G115: PGPort is validated as [1,65535] on write
|
|
},
|
|
}, nil
|
|
}
|
|
|
|
// SetPGCreds stores Postgres credentials for an account. Admin only.
|
|
func (c *credentialServiceServer) SetPGCreds(ctx context.Context, req *mciasv1.SetPGCredsRequest) (*mciasv1.SetPGCredsResponse, error) {
|
|
if err := c.s.requireAdmin(ctx); err != nil {
|
|
return nil, err
|
|
}
|
|
if req.Id == "" {
|
|
return nil, status.Error(codes.InvalidArgument, "id is required")
|
|
}
|
|
if req.Creds == nil {
|
|
return nil, status.Error(codes.InvalidArgument, "creds is required")
|
|
}
|
|
|
|
cr := req.Creds
|
|
if cr.Host == "" || cr.Database == "" || cr.Username == "" || cr.Password == "" {
|
|
return nil, status.Error(codes.InvalidArgument, "host, database, username, and password are required")
|
|
}
|
|
port := int(cr.Port)
|
|
if port == 0 {
|
|
port = 5432
|
|
}
|
|
|
|
acct, err := c.s.db.GetAccountByUUID(req.Id)
|
|
if err != nil {
|
|
if errors.Is(err, db.ErrNotFound) {
|
|
return nil, status.Error(codes.NotFound, "account not found")
|
|
}
|
|
return nil, status.Error(codes.Internal, "internal error")
|
|
}
|
|
|
|
enc, nonce, err := crypto.SealAESGCM(c.s.masterKey, []byte(cr.Password))
|
|
if err != nil {
|
|
return nil, status.Error(codes.Internal, "internal error")
|
|
}
|
|
|
|
if err := c.s.db.WritePGCredentials(acct.ID, cr.Host, port, cr.Database, cr.Username, enc, nonce); err != nil {
|
|
return nil, status.Error(codes.Internal, "internal error")
|
|
}
|
|
|
|
c.s.db.WriteAuditEvent(model.EventPGCredUpdated, nil, &acct.ID, peerIP(ctx), "") //nolint:errcheck
|
|
return &mciasv1.SetPGCredsResponse{}, nil
|
|
}
|