kyle/mcias
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity
Files
cb661bb8f583f1f905b1b483beb5cbac5189e0b4
mcias/internal/grpcserver/credentialservice.go
Kyle Isom d87b4b4042 Add vault seal/unseal lifecycle 
- New internal/vault package: thread-safe Vault struct with
  seal/unseal state, key material zeroing, and key derivation
- REST: POST /v1/vault/unseal, POST /v1/vault/seal,
  GET /v1/vault/status; health returns sealed status
- UI: /unseal page with passphrase form, redirect when sealed
- gRPC: sealedInterceptor rejects RPCs when sealed
- Middleware: RequireUnsealed blocks all routes except exempt
  paths; RequireAuth reads pubkey from vault at request time
- Startup: server starts sealed when passphrase unavailable
- All servers share single *vault.Vault by pointer
- CSRF manager derives key lazily from vault

Security: Key material is zeroed on seal. Sealed middleware
runs before auth. Handlers fail closed if vault becomes sealed
mid-request. Unseal endpoint is rate-limited (3/s burst 5).
No CSRF on unseal page (no session to protect; chicken-and-egg
with master key). Passphrase never logged.

Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
2026-03-14 23:55:37 -07:00

117 lines
3.8 KiB
Go
Raw Blame History

// credentialServiceServer implements mciasv1.CredentialServiceServer.
// All RPCs require admin role.
package grpcserver
import (
"context"
"errors"
"google.golang.org/grpc/codes"
"google.golang.org/grpc/status"
mciasv1 "git.wntrmute.dev/kyle/mcias/gen/mcias/v1"
"git.wntrmute.dev/kyle/mcias/internal/crypto"
"git.wntrmute.dev/kyle/mcias/internal/db"
"git.wntrmute.dev/kyle/mcias/internal/model"
)
type credentialServiceServer struct {
mciasv1.UnimplementedCredentialServiceServer
s *Server
}
// GetPGCreds decrypts and returns Postgres credentials. Admin only.
// Security: the password field is decrypted and returned; this constitutes
// a sensitive operation. The audit log records the access.
func (c *credentialServiceServer) GetPGCreds(ctx context.Context, req *mciasv1.GetPGCredsRequest) (*mciasv1.GetPGCredsResponse, error) {
if err := c.s.requireAdmin(ctx); err != nil {
return nil, err
}
if req.Id == "" {
return nil, status.Error(codes.InvalidArgument, "id is required")
}
acct, err := c.s.db.GetAccountByUUID(req.Id)
if err != nil {
if errors.Is(err, db.ErrNotFound) {
return nil, status.Error(codes.NotFound, "account not found")
}
return nil, status.Error(codes.Internal, "internal error")
}
cred, err := c.s.db.ReadPGCredentials(acct.ID)
if err != nil {
if errors.Is(err, db.ErrNotFound) {
return nil, status.Error(codes.NotFound, "no credentials stored")
}
return nil, status.Error(codes.Internal, "internal error")
}
// Decrypt the password for admin retrieval.
masterKey, mkErr := c.s.vault.MasterKey()
if mkErr != nil {
return nil, status.Error(codes.Unavailable, "vault sealed")
}
password, err := crypto.OpenAESGCM(masterKey, cred.PGPasswordNonce, cred.PGPasswordEnc)
if err != nil {
return nil, status.Error(codes.Internal, "internal error")
}
c.s.db.WriteAuditEvent(model.EventPGCredAccessed, nil, &acct.ID, peerIP(ctx), "") //nolint:errcheck
return &mciasv1.GetPGCredsResponse{
Creds: &mciasv1.PGCreds{
Host: cred.PGHost,
Database: cred.PGDatabase,
Username: cred.PGUsername,
Password: string(password), // security: returned only on explicit admin request
Port: int32(cred.PGPort), //nolint:gosec // G115: PGPort is validated as [1,65535] on write
},
}, nil
}
// SetPGCreds stores Postgres credentials for an account. Admin only.
func (c *credentialServiceServer) SetPGCreds(ctx context.Context, req *mciasv1.SetPGCredsRequest) (*mciasv1.SetPGCredsResponse, error) {
if err := c.s.requireAdmin(ctx); err != nil {
return nil, err
}
if req.Id == "" {
return nil, status.Error(codes.InvalidArgument, "id is required")
}
if req.Creds == nil {
return nil, status.Error(codes.InvalidArgument, "creds is required")
}
cr := req.Creds
if cr.Host == "" || cr.Database == "" || cr.Username == "" || cr.Password == "" {
return nil, status.Error(codes.InvalidArgument, "host, database, username, and password are required")
}
port := int(cr.Port)
if port == 0 {
port = 5432
}
acct, err := c.s.db.GetAccountByUUID(req.Id)
if err != nil {
if errors.Is(err, db.ErrNotFound) {
return nil, status.Error(codes.NotFound, "account not found")
}
return nil, status.Error(codes.Internal, "internal error")
}
masterKey, mkErr := c.s.vault.MasterKey()
if mkErr != nil {
return nil, status.Error(codes.Unavailable, "vault sealed")
}
enc, nonce, err := crypto.SealAESGCM(masterKey, []byte(cr.Password))
if err != nil {
return nil, status.Error(codes.Internal, "internal error")
}
if err := c.s.db.WritePGCredentials(acct.ID, cr.Host, port, cr.Database, cr.Username, enc, nonce); err != nil {
return nil, status.Error(codes.Internal, "internal error")
}
c.s.db.WriteAuditEvent(model.EventPGCredUpdated, nil, &acct.ID, peerIP(ctx), "") //nolint:errcheck
return &mciasv1.SetPGCredsResponse{}, nil
}
Reference in New Issue View Git Blame Copy Permalink