Move SSO clients from config to database
- Add sso_clients table (migration 000010) with client_id, redirect_uri, tags (JSON), enabled flag, and audit timestamps - Add SSOClient model struct and audit events - Implement DB CRUD with 10 unit tests - Add REST API: GET/POST/PATCH/DELETE /v1/sso/clients (policy-gated) - Add gRPC SSOClientService with 5 RPCs (admin-only) - Add mciasctl sso list/create/get/update/delete commands - Add web UI admin page at /sso-clients with HTMX create/toggle/delete - Migrate handleSSOAuthorize and handleSSOTokenExchange to use DB - Remove SSOConfig, SSOClient struct, lookup methods from config - Simplify: client_id = service_name for policy evaluation Security: - SSO client CRUD is admin-only (policy-gated REST, requireAdmin gRPC) - redirect_uri must use https:// (validated at DB layer) - Disabled clients are rejected at both authorize and token exchange - All mutations write audit events Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
This commit is contained in:
@@ -26,14 +26,20 @@ func (u *UIServer) handleSSOAuthorize(w http.ResponseWriter, r *http.Request) {
|
||||
return
|
||||
}
|
||||
|
||||
// Security: validate client_id against registered SSO clients.
|
||||
client := u.cfg.SSOClient(clientID)
|
||||
if client == nil {
|
||||
// Security: validate client_id against registered SSO clients in the database.
|
||||
client, err := u.db.GetSSOClient(clientID)
|
||||
if err != nil {
|
||||
u.logger.Warn("sso: unknown client_id", "client_id", clientID)
|
||||
http.Error(w, "unknown client_id", http.StatusBadRequest)
|
||||
return
|
||||
}
|
||||
|
||||
if !client.Enabled {
|
||||
u.logger.Warn("sso: disabled client", "client_id", clientID)
|
||||
http.Error(w, "SSO client is disabled", http.StatusForbidden)
|
||||
return
|
||||
}
|
||||
|
||||
// Security: redirect_uri must exactly match the registered URI to prevent
|
||||
// open-redirect attacks.
|
||||
if redirectURI != client.RedirectURI {
|
||||
|
||||
129
internal/ui/handlers_sso_clients.go
Normal file
129
internal/ui/handlers_sso_clients.go
Normal file
@@ -0,0 +1,129 @@
|
||||
package ui
|
||||
|
||||
import (
|
||||
"fmt"
|
||||
"net/http"
|
||||
"strings"
|
||||
|
||||
"git.wntrmute.dev/mc/mcias/internal/audit"
|
||||
"git.wntrmute.dev/mc/mcias/internal/model"
|
||||
)
|
||||
|
||||
func (u *UIServer) handleSSOClientsPage(w http.ResponseWriter, r *http.Request) {
|
||||
csrfToken, err := u.setCSRFCookies(w)
|
||||
if err != nil {
|
||||
http.Error(w, "internal error", http.StatusInternalServerError)
|
||||
return
|
||||
}
|
||||
|
||||
clients, err := u.db.ListSSOClients()
|
||||
if err != nil {
|
||||
u.renderError(w, r, http.StatusInternalServerError, "failed to load SSO clients")
|
||||
return
|
||||
}
|
||||
|
||||
u.render(w, "sso_clients", SSOClientsData{
|
||||
PageData: PageData{CSRFToken: csrfToken, ActorName: u.actorName(r), IsAdmin: isAdmin(r)},
|
||||
Clients: clients,
|
||||
})
|
||||
}
|
||||
|
||||
func (u *UIServer) handleCreateSSOClientUI(w http.ResponseWriter, r *http.Request) {
|
||||
r.Body = http.MaxBytesReader(w, r.Body, maxFormBytes)
|
||||
if err := r.ParseForm(); err != nil {
|
||||
u.renderError(w, r, http.StatusBadRequest, "invalid form submission")
|
||||
return
|
||||
}
|
||||
|
||||
clientID := strings.TrimSpace(r.FormValue("client_id"))
|
||||
redirectURI := strings.TrimSpace(r.FormValue("redirect_uri"))
|
||||
tagsStr := strings.TrimSpace(r.FormValue("tags"))
|
||||
|
||||
if clientID == "" || redirectURI == "" {
|
||||
u.renderError(w, r, http.StatusBadRequest, "client_id and redirect_uri are required")
|
||||
return
|
||||
}
|
||||
|
||||
var tags []string
|
||||
if tagsStr != "" {
|
||||
for _, t := range strings.Split(tagsStr, ",") {
|
||||
t = strings.TrimSpace(t)
|
||||
if t != "" {
|
||||
tags = append(tags, t)
|
||||
}
|
||||
}
|
||||
}
|
||||
|
||||
claims := claimsFromContext(r.Context())
|
||||
var actorID *int64
|
||||
if claims != nil {
|
||||
if acct, err := u.db.GetAccountByUUID(claims.Subject); err == nil {
|
||||
actorID = &acct.ID
|
||||
}
|
||||
}
|
||||
|
||||
c, err := u.db.CreateSSOClient(clientID, redirectURI, tags, actorID)
|
||||
if err != nil {
|
||||
u.renderError(w, r, http.StatusBadRequest, err.Error())
|
||||
return
|
||||
}
|
||||
|
||||
u.writeAudit(r, model.EventSSOClientCreated, actorID, nil,
|
||||
audit.JSON("client_id", c.ClientID))
|
||||
|
||||
u.render(w, "sso_client_row", c)
|
||||
}
|
||||
|
||||
func (u *UIServer) handleToggleSSOClient(w http.ResponseWriter, r *http.Request) {
|
||||
clientID := r.PathValue("clientId")
|
||||
r.Body = http.MaxBytesReader(w, r.Body, maxFormBytes)
|
||||
if err := r.ParseForm(); err != nil {
|
||||
u.renderError(w, r, http.StatusBadRequest, "invalid form")
|
||||
return
|
||||
}
|
||||
|
||||
enabled := r.FormValue("enabled") == "true"
|
||||
if err := u.db.UpdateSSOClient(clientID, nil, nil, &enabled); err != nil {
|
||||
u.renderError(w, r, http.StatusInternalServerError, "failed to update SSO client")
|
||||
return
|
||||
}
|
||||
|
||||
claims := claimsFromContext(r.Context())
|
||||
var actorID *int64
|
||||
if claims != nil {
|
||||
if acct, err := u.db.GetAccountByUUID(claims.Subject); err == nil {
|
||||
actorID = &acct.ID
|
||||
}
|
||||
}
|
||||
u.writeAudit(r, model.EventSSOClientUpdated, actorID, nil,
|
||||
fmt.Sprintf(`{"client_id":%q,"enabled":%v}`, clientID, enabled))
|
||||
|
||||
c, err := u.db.GetSSOClient(clientID)
|
||||
if err != nil {
|
||||
u.renderError(w, r, http.StatusInternalServerError, "failed to reload SSO client")
|
||||
return
|
||||
}
|
||||
u.render(w, "sso_client_row", c)
|
||||
}
|
||||
|
||||
func (u *UIServer) handleDeleteSSOClientUI(w http.ResponseWriter, r *http.Request) {
|
||||
clientID := r.PathValue("clientId")
|
||||
|
||||
if err := u.db.DeleteSSOClient(clientID); err != nil {
|
||||
u.renderError(w, r, http.StatusInternalServerError, "failed to delete SSO client")
|
||||
return
|
||||
}
|
||||
|
||||
claims := claimsFromContext(r.Context())
|
||||
var actorID *int64
|
||||
if claims != nil {
|
||||
if acct, err := u.db.GetAccountByUUID(claims.Subject); err == nil {
|
||||
actorID = &acct.ID
|
||||
}
|
||||
}
|
||||
u.writeAudit(r, model.EventSSOClientDeleted, actorID, nil,
|
||||
audit.JSON("client_id", clientID))
|
||||
|
||||
// Return empty response so HTMX removes the row.
|
||||
w.WriteHeader(http.StatusOK)
|
||||
}
|
||||
@@ -501,6 +501,10 @@ func (u *UIServer) Register(mux *http.ServeMux) {
|
||||
uiMux.Handle("DELETE /policies/{id}", admin(u.handleDeletePolicyRule))
|
||||
uiMux.Handle("PUT /accounts/{id}/tags", admin(u.handleSetAccountTags))
|
||||
uiMux.Handle("PUT /accounts/{id}/password", admin(u.handleAdminResetPassword))
|
||||
uiMux.Handle("GET /sso-clients", adminGet(u.handleSSOClientsPage))
|
||||
uiMux.Handle("POST /sso-clients", admin(u.handleCreateSSOClientUI))
|
||||
uiMux.Handle("PATCH /sso-clients/{clientId}/toggle", admin(u.handleToggleSSOClient))
|
||||
uiMux.Handle("DELETE /sso-clients/{clientId}", admin(u.handleDeleteSSOClientUI))
|
||||
|
||||
// Service accounts page — accessible to any authenticated user; shows only
|
||||
// the service accounts for which the current user is a token-issue delegate.
|
||||
@@ -923,6 +927,12 @@ type PolicyRuleView struct {
|
||||
IsPending bool // true if not_before is in the future
|
||||
}
|
||||
|
||||
// SSOClientsData is the view model for the SSO clients admin page.
|
||||
type SSOClientsData struct {
|
||||
PageData
|
||||
Clients []*model.SSOClient
|
||||
}
|
||||
|
||||
// PoliciesData is the view model for the policies list page.
|
||||
type PoliciesData struct {
|
||||
PageData
|
||||
|
||||
Reference in New Issue
Block a user