kyle/mcias
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity
Files
c5bc8f0543c4862909aed6ca0631ee7cc7c25473
mcias/cmd/mciasdb/pgcreds.go
Kyle Isom 59d51a1d38 Implement Phase 7: gRPC dual-stack interface 
- proto/mcias/v1/: AdminService, AuthService, TokenService,
  AccountService, CredentialService; generated Go stubs in gen/
- internal/grpcserver: full handler implementations sharing all
  business logic (auth, token, db, crypto) with REST server;
  interceptor chain: logging -> auth (JWT alg-first + revocation) ->
  rate-limit (token bucket, 10 req/s, burst 10, per-IP)
- internal/config: optional grpc_addr field in [server] section
- cmd/mciassrv: dual-stack startup; gRPC/TLS listener on grpc_addr
  when configured; graceful shutdown of both servers in 15s window
- cmd/mciasgrpcctl: companion gRPC CLI mirroring mciasctl commands
  (health, pubkey, account, role, token, pgcreds) using TLS with
  optional custom CA cert
- internal/grpcserver/grpcserver_test.go: 20 tests via bufconn covering
  public RPCs, auth interceptor (no token, invalid, revoked -> 401),
  non-admin -> 403, Login/Logout/RenewToken/ValidateToken flows,
  AccountService CRUD, SetPGCreds/GetPGCreds AES-GCM round-trip,
  credential fields absent from all responses
Security:
  JWT validation path identical to REST: alg header checked before
  signature, alg:none rejected, revocation table checked after sig.
  Authorization metadata value never logged by any interceptor.
  Credential fields (PasswordHash, TOTPSecret*, PGPassword) absent from
  all proto response messages — enforced by proto design and confirmed
  by test TestCredentialFieldsAbsentFromAccountResponse.
  Login dummy-Argon2 timing guard preserves timing uniformity for
  unknown users (same as REST handleLogin).
  TLS required at listener level; cmd/mciassrv uses
  credentials.NewServerTLSFromFile; no h2c offered.
137 tests pass, zero race conditions (go test -race ./...)
2026-03-11 14:38:47 -07:00

128 lines
4.0 KiB
Go
Raw Blame History

package main
import (
"errors"
"flag"
"fmt"
"os"
"git.wntrmute.dev/kyle/mcias/internal/crypto"
"git.wntrmute.dev/kyle/mcias/internal/db"
)
func (t *tool) runPGCreds(args []string) {
if len(args) == 0 {
fatalf("pgcreds requires a subcommand: get, set")
}
switch args[0] {
case "get":
t.pgCredsGet(args[1:])
case "set":
t.pgCredsSet(args[1:])
default:
fatalf("unknown pgcreds subcommand %q", args[0])
}
}
// pgCredsGet decrypts and prints Postgres credentials for an account.
// A warning is printed before the output to remind the operator that
// the password is sensitive and must not be logged.
//
// Security: Credentials are decrypted in-memory using the master key and
// printed directly to stdout. The operator is responsible for ensuring the
// terminal output is not captured in logs. The plaintext password is never
// written to disk.
func (t *tool) pgCredsGet(args []string) {
fs := flag.NewFlagSet("pgcreds get", flag.ExitOnError)
id := fs.String("id", "", "account UUID (required)")
_ = fs.Parse(args)
if *id == "" {
fatalf("pgcreds get: --id is required")
}
a, err := t.db.GetAccountByUUID(*id)
if err != nil {
fatalf("get account: %v", err)
}
cred, err := t.db.ReadPGCredentials(a.ID)
if errors.Is(err, db.ErrNotFound) {
fatalf("no Postgres credentials stored for account %s", a.Username)
}
if err != nil {
fatalf("read pg credentials: %v", err)
}
// Decrypt the password.
// Security: AES-256-GCM decryption; any tampering with the ciphertext or
// nonce will cause decryption to fail with an authentication error.
plaintext, err := crypto.OpenAESGCM(t.masterKey, cred.PGPasswordNonce, cred.PGPasswordEnc)
if err != nil {
fatalf("decrypt pg password: %v", err)
}
if err := t.db.WriteAuditEvent("pgcred_accessed", nil, &a.ID, "", `{"actor":"mciasdb"}`); err != nil {
fmt.Fprintf(os.Stderr, "warning: write audit event: %v\n", err)
}
// Print warning before sensitive output.
fmt.Fprintln(os.Stderr, "WARNING: output below contains a plaintext password. Do not log or share.")
fmt.Printf("Host: %s\n", cred.PGHost)
fmt.Printf("Port: %d\n", cred.PGPort)
fmt.Printf("Database: %s\n", cred.PGDatabase)
fmt.Printf("Username: %s\n", cred.PGUsername)
fmt.Printf("Password: %s\n", string(plaintext))
}
// pgCredsSet prompts for a Postgres password interactively, encrypts it with
// AES-256-GCM, and stores the credentials for the given account.
//
// Security: No --password flag is provided to prevent the password from
// appearing in shell history or process listings. Encryption uses a fresh
// random nonce each time.
func (t *tool) pgCredsSet(args []string) {
fs := flag.NewFlagSet("pgcreds set", flag.ExitOnError)
id := fs.String("id", "", "account UUID (required)")
host := fs.String("host", "", "Postgres host (required)")
port := fs.Int("port", 5432, "Postgres port")
dbName := fs.String("db", "", "Postgres database name (required)")
username := fs.String("user", "", "Postgres username (required)")
_ = fs.Parse(args)
if *id == "" || *host == "" || *dbName == "" || *username == "" {
fatalf("pgcreds set: --id, --host, --db, and --user are required")
}
a, err := t.db.GetAccountByUUID(*id)
if err != nil {
fatalf("get account: %v", err)
}
password, err := readPassword("Postgres password: ")
if err != nil {
fatalf("read password: %v", err)
}
if password == "" {
fatalf("password must not be empty")
}
// Encrypt the password at rest.
// Security: AES-256-GCM with a fresh random nonce ensures ciphertext
// uniqueness even if the same password is stored multiple times.
enc, nonce, err := crypto.SealAESGCM(t.masterKey, []byte(password))
if err != nil {
fatalf("encrypt pg password: %v", err)
}
if err := t.db.WritePGCredentials(a.ID, *host, *port, *dbName, *username, enc, nonce); err != nil {
fatalf("write pg credentials: %v", err)
}
if err := t.db.WriteAuditEvent("pgcred_updated", nil, &a.ID, "", `{"actor":"mciasdb"}`); err != nil {
fmt.Fprintf(os.Stderr, "warning: write audit event: %v\n", err)
}
fmt.Printf("Postgres credentials stored for account %s\n", a.Username)
}
Reference in New Issue View Git Blame Copy Permalink