Add record-level authorization for system accounts
Record mutations (create, update, delete) no longer require admin role. Authorization rules: - admin: full access (unchanged) - system mcp-agent: create/delete any record - system account α: create/delete records named α only - human users: read-only (unchanged) Zone mutations remain admin-only. Both REST and gRPC paths enforce the same rules. Update checks authorization against both old and new names. Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
This commit is contained in:
@@ -769,6 +769,9 @@ func TestMethodMapCompleteness(t *testing.T) {
|
||||
"/mcns.v1.ZoneService/GetZone",
|
||||
"/mcns.v1.RecordService/ListRecords",
|
||||
"/mcns.v1.RecordService/GetRecord",
|
||||
"/mcns.v1.RecordService/CreateRecord",
|
||||
"/mcns.v1.RecordService/UpdateRecord",
|
||||
"/mcns.v1.RecordService/DeleteRecord",
|
||||
}
|
||||
for _, method := range expectedAuth {
|
||||
if !mm.AuthRequired[method] {
|
||||
@@ -783,9 +786,6 @@ func TestMethodMapCompleteness(t *testing.T) {
|
||||
"/mcns.v1.ZoneService/CreateZone",
|
||||
"/mcns.v1.ZoneService/UpdateZone",
|
||||
"/mcns.v1.ZoneService/DeleteZone",
|
||||
"/mcns.v1.RecordService/CreateRecord",
|
||||
"/mcns.v1.RecordService/UpdateRecord",
|
||||
"/mcns.v1.RecordService/DeleteRecord",
|
||||
}
|
||||
for _, method := range expectedAdmin {
|
||||
if !mm.AdminRequired[method] {
|
||||
|
||||
@@ -25,11 +25,14 @@ func publicMethods() map[string]bool {
|
||||
|
||||
func authRequiredMethods() map[string]bool {
|
||||
return map[string]bool{
|
||||
"/mcns.v1.AuthService/Logout": true,
|
||||
"/mcns.v1.ZoneService/ListZones": true,
|
||||
"/mcns.v1.ZoneService/GetZone": true,
|
||||
"/mcns.v1.RecordService/ListRecords": true,
|
||||
"/mcns.v1.RecordService/GetRecord": true,
|
||||
"/mcns.v1.AuthService/Logout": true,
|
||||
"/mcns.v1.ZoneService/ListZones": true,
|
||||
"/mcns.v1.ZoneService/GetZone": true,
|
||||
"/mcns.v1.RecordService/ListRecords": true,
|
||||
"/mcns.v1.RecordService/GetRecord": true,
|
||||
"/mcns.v1.RecordService/CreateRecord": true,
|
||||
"/mcns.v1.RecordService/UpdateRecord": true,
|
||||
"/mcns.v1.RecordService/DeleteRecord": true,
|
||||
}
|
||||
}
|
||||
|
||||
@@ -38,8 +41,5 @@ func adminRequiredMethods() map[string]bool {
|
||||
"/mcns.v1.ZoneService/CreateZone": true,
|
||||
"/mcns.v1.ZoneService/UpdateZone": true,
|
||||
"/mcns.v1.ZoneService/DeleteZone": true,
|
||||
"/mcns.v1.RecordService/CreateRecord": true,
|
||||
"/mcns.v1.RecordService/UpdateRecord": true,
|
||||
"/mcns.v1.RecordService/DeleteRecord": true,
|
||||
}
|
||||
}
|
||||
|
||||
@@ -10,10 +10,36 @@ import (
|
||||
"google.golang.org/grpc/status"
|
||||
"google.golang.org/protobuf/types/known/timestamppb"
|
||||
|
||||
mcdslauth "git.wntrmute.dev/mc/mcdsl/auth"
|
||||
mcdslgrpc "git.wntrmute.dev/mc/mcdsl/grpcserver"
|
||||
|
||||
pb "git.wntrmute.dev/mc/mcns/gen/mcns/v1"
|
||||
"git.wntrmute.dev/mc/mcns/internal/db"
|
||||
)
|
||||
|
||||
// authorizeRecordMutation checks whether the caller may create, update,
|
||||
// or delete a DNS record with the given name. The rules are:
|
||||
//
|
||||
// - admin role: always allowed
|
||||
// - system account "mcp-agent": allowed for any record name
|
||||
// - system account α: allowed only when recordName == α
|
||||
// - all others: denied
|
||||
func authorizeRecordMutation(info *mcdslauth.TokenInfo, recordName string) bool {
|
||||
if info == nil {
|
||||
return false
|
||||
}
|
||||
if info.IsAdmin {
|
||||
return true
|
||||
}
|
||||
if info.AccountType != "system" {
|
||||
return false
|
||||
}
|
||||
if info.Username == "mcp-agent" {
|
||||
return true
|
||||
}
|
||||
return recordName == info.Username
|
||||
}
|
||||
|
||||
type recordService struct {
|
||||
pb.UnimplementedRecordServiceServer
|
||||
db *db.DB
|
||||
@@ -55,7 +81,7 @@ func (s *recordService) GetRecord(_ context.Context, req *pb.GetRecordRequest) (
|
||||
return s.recordToProto(*record), nil
|
||||
}
|
||||
|
||||
func (s *recordService) CreateRecord(_ context.Context, req *pb.CreateRecordRequest) (*pb.Record, error) {
|
||||
func (s *recordService) CreateRecord(ctx context.Context, req *pb.CreateRecordRequest) (*pb.Record, error) {
|
||||
if req.Zone == "" {
|
||||
return nil, status.Error(codes.InvalidArgument, "zone is required")
|
||||
}
|
||||
@@ -69,6 +95,10 @@ func (s *recordService) CreateRecord(_ context.Context, req *pb.CreateRecordRequ
|
||||
return nil, status.Error(codes.InvalidArgument, "value is required")
|
||||
}
|
||||
|
||||
if !authorizeRecordMutation(mcdslgrpc.TokenInfoFromContext(ctx), req.Name) {
|
||||
return nil, status.Error(codes.PermissionDenied, "not authorized for record name")
|
||||
}
|
||||
|
||||
record, err := s.db.CreateRecord(req.Zone, req.Name, req.Type, req.Value, int(req.Ttl))
|
||||
if errors.Is(err, db.ErrNotFound) {
|
||||
return nil, status.Error(codes.NotFound, "zone not found")
|
||||
@@ -82,7 +112,7 @@ func (s *recordService) CreateRecord(_ context.Context, req *pb.CreateRecordRequ
|
||||
return s.recordToProto(*record), nil
|
||||
}
|
||||
|
||||
func (s *recordService) UpdateRecord(_ context.Context, req *pb.UpdateRecordRequest) (*pb.Record, error) {
|
||||
func (s *recordService) UpdateRecord(ctx context.Context, req *pb.UpdateRecordRequest) (*pb.Record, error) {
|
||||
if req.Id <= 0 {
|
||||
return nil, status.Error(codes.InvalidArgument, "id must be positive")
|
||||
}
|
||||
@@ -96,6 +126,15 @@ func (s *recordService) UpdateRecord(_ context.Context, req *pb.UpdateRecordRequ
|
||||
return nil, status.Error(codes.InvalidArgument, "value is required")
|
||||
}
|
||||
|
||||
info := mcdslgrpc.TokenInfoFromContext(ctx)
|
||||
existing, lookupErr := s.db.GetRecord(req.Id)
|
||||
if lookupErr == nil && !authorizeRecordMutation(info, existing.Name) {
|
||||
return nil, status.Error(codes.PermissionDenied, "not authorized for record name")
|
||||
}
|
||||
if !authorizeRecordMutation(info, req.Name) {
|
||||
return nil, status.Error(codes.PermissionDenied, "not authorized for record name")
|
||||
}
|
||||
|
||||
record, err := s.db.UpdateRecord(req.Id, req.Name, req.Type, req.Value, int(req.Ttl))
|
||||
if errors.Is(err, db.ErrNotFound) {
|
||||
return nil, status.Error(codes.NotFound, "record not found")
|
||||
@@ -109,11 +148,16 @@ func (s *recordService) UpdateRecord(_ context.Context, req *pb.UpdateRecordRequ
|
||||
return s.recordToProto(*record), nil
|
||||
}
|
||||
|
||||
func (s *recordService) DeleteRecord(_ context.Context, req *pb.DeleteRecordRequest) (*pb.DeleteRecordResponse, error) {
|
||||
func (s *recordService) DeleteRecord(ctx context.Context, req *pb.DeleteRecordRequest) (*pb.DeleteRecordResponse, error) {
|
||||
if req.Id <= 0 {
|
||||
return nil, status.Error(codes.InvalidArgument, "id must be positive")
|
||||
}
|
||||
|
||||
existing, lookupErr := s.db.GetRecord(req.Id)
|
||||
if lookupErr == nil && !authorizeRecordMutation(mcdslgrpc.TokenInfoFromContext(ctx), existing.Name) {
|
||||
return nil, status.Error(codes.PermissionDenied, "not authorized for record name")
|
||||
}
|
||||
|
||||
err := s.db.DeleteRecord(req.Id)
|
||||
if errors.Is(err, db.ErrNotFound) {
|
||||
return nil, status.Error(codes.NotFound, "record not found")
|
||||
|
||||
Reference in New Issue
Block a user